Member-only story

$10.5k Bounty Story

aimaster
2 min readFeb 13, 2025

--

How hacker discovered a critical IDOR flaw in PayPal’s business API and earned a hefty reward.

Free Article Link: Click here 👈

🕵️‍♂️ The Target: PayPal’s Business Management Portal

While testing PayPal’s business management features, researcher focused on the /businessmanage/users/api/v1/users endpoint, which handles secondary user creation. PayPal Business Accounts allow owners to create sub-accounts with permissions like fund transfers, refunds, and balance viewing – making this a high-risk target.

🔍 Spotting the Flaw: Missing Authorization Checks

By intercepting the “Add User” request, researchernoticed the API blindly trusted the business_id parameter. Modifying it to another business ID (e.g., 1660971175791245038VICTIM_ID) allowed unauthorized admin access. Worse, sub-account IDs were sequential (e.g., 446113495), making them easy to brute-force.

Vulnerable Request:

PUT /businessmanage/users/api/v1/users HTTP/1.1Host: www.paypal.com
{
"business_id": "VICTIM_ID",
"user_email": "attacker@evil.com",
"role": "admin"
}

💥 Proof of Concept (PoC): Hijacking Business Accounts

--

--

aimaster
aimaster

Written by aimaster

Technology & Cybersecurity Writer | Helping You Navigate the Digital Landscape 🖋️

No responses yet