The main PayPal web site sets a cookie named "aksession" which
contains a blob of base64-encoded ciphertext. This ciphertext is
encrypted using a 64-bit block cipher in CBC mode and does not have
any other integrity protection. Naturally, this means the aksession
cookie is vulnerable to a padding oracle attack allowing full
decryption and forgery.

Here's an example of an aksession cookie:

1371856787~id=cookieMOF13DX8hKxMUVKWTDJ4Mp6lam2TdbUs44BJ7iduOubp9+zII2ZAWPz9C9HM3GQDGNhUPxyHZ9eHF9kkF6BYdLaRYxMIpGlMYgobM+FYnB8//iMqth8sT/wrigUy4jnV1OLnkkE2g4x=

The ciphertext begins immediately after the "cookie" string.  The
base64 value's first 8 bytes is the random initialization vector.  The
decrypted plaintext contains:

expiretime=1371856787&sessionip=61.183.192.0&strategy=0&scriptid=&challenge=0&seedid=PRI

This flaw currently still exists in the PayPal site.  PayPal was
notified through their bug bounty program, but they determined that
this flaw is "invalid" and does not deserve a bounty.  They said it
would be fine to publish it.

To be fair, this cookie does indeed contain no sensitive information.
However, I think it may be a bit short-sighted of PayPal to discount
this issue, since there are several potentially interesting parameters
in the plaintext that could be forged by an attacker.  I have only
ever observed plaintext values like the one above (that is, with
several parameters blank or "0"), so I can't tell for sure what they
are used for.  PayPal never confirmed for me whether or not they
investigated attack scenarios involving modification of the parameters.
(In general, their responses were incredibly terse and unhelpful.)
I've decided it isn't worth more of my time trying to fuzz these
parameters, but perhaps someone else will get lucky.


I figured I could at least use this issue as an educational
opportunity-- I've created a short video which demonstrates how to
identify and exploit this problem using the Bletchley[1] took kit:
   http://youtu.be/qqNgcc9v_DQ

If you are interested in learning more, note that I'll be giving a
2-day training course[2] at AppSecUSA 2013 which will cover exploitation of a
wide variety of common cryptography implementation problems, including
padding oracle flaws.


Finally, for those keeping score, here's a disclosure timeline:

 2013-06-22
 Initial notification with vulnerability details

 2013-06-24
 Form-letter response from PayPal

 2013-06-28
 Sent follow up with exploit script.

 2013-07-12
 Asked for an update from PayPal.  PayPal responded that the evaluation
 is still "in process".

 2013-07-15
 PayPal indicated that the bug is not eligible for a bounty because:
 "This cookie doesnt contain any sensitive information."

 2013-07-15
 Responded to PayPal urging them to investigate the possibility of
 malicious modification of parameters within the cookie, since doing
 this exhaustively in a black box way requires a great deal of effort.

 2013-08-06
 After being ignored in the prior email, asked PayPal if it would be ok
 to publish this flaw.

 2013-08-07
 PayPal responded with:
 "This bug does not contain any sensitive data and we have determined it
  is invalid. You may publish your findings regarding this bug."


Enjoy,
tim
@ecbftw


1. https://code.google.com/p/bletchley/

2. http://sched.co/19n00R5