Member-only story
How hacker discovered a critical IDOR flaw in PayPal’s business API and earned a hefty reward.
Free Article Link: Click here 👈
🕵️♂️ The Target: PayPal’s Business Management Portal
While testing PayPal’s business management features, researcher focused on the /businessmanage/users/api/v1/users endpoint, which handles secondary user creation. PayPal Business Accounts allow owners to create sub-accounts with permissions like fund transfers, refunds, and balance viewing – making this a high-risk target.
🔍 Spotting the Flaw: Missing Authorization Checks
By intercepting the “Add User” request, researchernoticed the API blindly trusted the business_id parameter. Modifying it to another business ID (e.g., 1660971175791245038 → VICTIM_ID) allowed unauthorized admin access. Worse, sub-account IDs were sequential (e.g., 446113495), making them easy to brute-force.
Vulnerable Request:
PUT /businessmanage/users/api/v1/users HTTP/1.1Host: www.paypal.com
{
"business_id": "VICTIM_ID",
"user_email": "attacker@evil.com",
"role": "admin"
}💥 Proof of Concept (PoC): Hijacking Business Accounts
Steps:
1️⃣ Register a PayPal Business Account.
2️⃣ Intercept the “Add User” request using Burp Suite.
3️⃣ Replace business_id with a victim’s ID (obtained via enumeration).
4️⃣ Send the request the attacker’s email gains admin privileges.
Impact:
- Financial Fraud: Transfer funds from victim accounts.
- Data Breaches: Access transaction histories and customer data.
- Reputation Damage: Loss of trust in PayPal’s security.
🛠️ Technical Breakdown: Why This Happened
PayPal made three critical mistakes:
