PayPal has fixed a security hole that could have allowed fraudsters to hijack production systems. The vulnerability could have allowed attackers to install a backdoor on PayPal, according to PC World.
The magazine described how Michael Stepankin, a bug bounty hunter, found the vulnerability in the manager.paypal.com website. “After he reported the issue to PayPal and it got fixed, the company gave him a reward through its bug bounty program, even though his report was marked as a duplicate. It turns out that another security researcher reported the same issue a few days earlier, proving that people are currently scanning for this type of vulnerability.”
PayPal’s engineering team addressed the vulnerability, and said that while the security community has known about deserialization vulnerabilities for a few years, “they were considered to be theoretical and hard to exploit.”
You can read PayPal’s post on the PayPal-Engineering.com website.