PayPal IDOR via billing Agreement Token (closed Informative, payment fraud)

2 years ago 132
BOOK THIS SPACE FOR AD
ARTICLE AD

Hello everyone, in this article I will show you an Insecure direct object references (IDOR) that I found on PayPal 7 months Ago where an attacker can expose PayPal users data: billing address,email, nonce code using billing Agreement Token.

A critical security issue in api.braintreegateway.com where I was able to create a PayPal transaction just by knowing billing Agreement Token of the users. the issue is That, this endpoint api.braintreegateway.com/merchants/<ID>/client_api/v1/payment_methods/paypal_accounts should be authenticated by the merchant. but the user can send post requests to this endpoint. and generate Payment Method Nonces.

I was reading the documents about Payment Method Nonces,

A payment method nonce is a secure, one-time-use reference to payment information. It’s the key element that allows your server to communicate sensitive payment information to Braintree without ever touching the raw data.

source: https://developer.paypal.com/braintree/docs/guides/payment-method-nonces

and I understand that, if I am able to get valid billing Agreement Token of another user I can generate a new Nonces code > make Payment!

I Reproduced this bug In a real merchant that uses Braintree which is grammarly.com. also,

go to https://www.grammarly.com/upgrade and log in with your accountChoose Your Plan, and select Paypal as the payment method, now make an intercept onclick on Paypal checkout, then accept the payment.when you come to this request, drop it, to cancel the payment (And this way you won’t have to pay anything to Grammarly :’.POST /api/v1/subscribe HTTP/1.1
Host: subscription.grammarly.com
Connection: close
Content-Length: 135
Cookie: <>
nonce=<nonce>&planId=1005&sessionId=<sessionId>&isTaxable=false&billingCountryCode=US

you can see Grammarly is use Payment Method Nonces and this Nonce can be generated in the unauthenticated endpoint.
back to burp history, and find this endpoint:

https://api.braintreegateway.com/merchants/68r2vzdxyjwst8d7/client_api/v1/payment_methods/paypal_accounts

send it to the repeater.

now to confirm the bug: open the victim Paypal account, repeat the same steps, and copy the billingAgreementTokenfrom victim account.

now change the billingAgreementToken in api.braintreegateway.com/merchants/68r2vzdxyjwst8d7/client_api/v1/payment_methods/paypal_accounts to the victim token.

note: 68r2vzdxyjwst8d7 is Grammarly public client ID .

in the response, you will find that you are able to generate Nonces codes using billing Agreement Token for the victim. and no specific authentication is needed.

how an attacker can get the billingAgreementToken for other users?

now If you ask, how an attacker can get valid billingAgreementToken ! well there are tons of ways :

## 1. Wayback Machine

you can use these tools :

https://web.archive.org/web/*/paypal.com/*

gau tool resultes : commend : gau paypal.com | grep "ba_token"

and as you can see there are more soo many leaked billingAgreementToken in wayback machine. and this is because the billingAgreementToken is a public token :).

The next step for the attacker is to find the valid merchants that can accept one of these billingAgreementToken for example if one of these tokens is used in Grammarly, the attacker send the post request: https://api.braintreegateway.com/merchants/68r2vzdxyjwst8d7/client_api/v1/payment_methods/paypal_accounts

and in the response he will receive the user Paypal information, although the attacker needs to find the right merchants id and test all the tokens.

and this step is possible 100% , how many companies use Braintree Gateway? 1000 or 99999? The number is very limited :) .

2. google dork.

and because the billingAgreementToken is passed in GET request, you can find some of them on google using this dork , There isn't much :( .

3. laked in 3rd party

also I found that the billingAgreementToken is leaked to Third-party for example Google Analytics

missing authentication In sansative endpint , an attacker can expose payapl user data : billing Address,email,nonce code using billing Agreement Token.

also this endpoint api.braintreegateway.com/merchants/<ID>/client_api/v1/payment_methods/paypal_accounts used to generate a valid Nonce code, and this code can be used to make a payment to the merchant.

an attacker can make payments from Paypal victim's accounts.

HackerOne triage response :

for me , I Think this endpoint

https://api.braintreegateway.com/merchants/<ID>/client_api/v1/payment_methods/paypal_accounts

must be authenticated, the only ones who should have access to this endpoint should be the merchants using his API keys because there are so many authentication endpoints on api.braintreegateway.com and this one should be the same.

Read Entire Article