XSS in Paypal acquisition!

So I was doing my regular bug hunting about a month ago, and I decided to take up PayPal bug bounty program. One thing I always try to do is target acquisitions in scope, rather than going directly for the main site (go figure).

So the acquisition is called 'Xoom'. I spent a few hours, looking for low hanging fruits, xss, xsrf, anything. Didn't have any luck. Just as I was about to shut down my laptop, I received an email from Xoom. At the bottom of the email was an 'unsubcribe' button. I decided to test it. Now this is where things get interesting!
If you decide to unsubscribe from the main website, you get to an endpoint like www.xoom.com/unsubscribe?email=ameya@gmail.com. I thought of trying for xss here, as I saw the email param value was getting reflected in the source. No luck!

But, when you choose to unsubscribe from the email from within the email template, you are taken to an address like refer.xoom.com/?optout=ameya@gmail.com. And this param was vulnerable to XSS, and broken access controls! (I could've inserted a random email address here and have it unsubscribed from Xoom mailing list)


1.) Always go out-of-band.
2.) Don't give up!




Popular Posts