Member-only story
How hacker discovered a critical IDOR flaw in PayPal’s business API and earned a hefty reward.
Free Article Link: Click here 👈
🕵️♂️ The Target: PayPal’s Business Management Portal
While testing PayPal’s business management features, researcher focused on the /businessmanage/users/api/v1/users
endpoint, which handles secondary user creation. PayPal Business Accounts allow owners to create sub-accounts with permissions like fund transfers, refunds, and balance viewing – making this a high-risk target.
🔍 Spotting the Flaw: Missing Authorization Checks
By intercepting the “Add User” request, researchernoticed the API blindly trusted the business_id
parameter. Modifying it to another business ID (e.g., 1660971175791245038
→ VICTIM_ID
) allowed unauthorized admin access. Worse, sub-account IDs were sequential (e.g., 446113495
), making them easy to brute-force.
Vulnerable Request:
PUT /businessmanage/users/api/v1/users HTTP/1.1Host: www.paypal.com
{
"business_id": "VICTIM_ID",
"user_email": "attacker@evil.com",
"role": "admin"
}