All PayPal accounts were 1 click away from hijacking | IT Support and Hardware for Clinics |

Until Egyptian cyber-security researcher Yasser Ali found it and reported it to PayPal, there was a security hole that meant 150 million-plus customers were one measly click away from account hijacking.

Ali said in a blog post that the "critical vulnerability" meant an attacker could hijack any PayPal user account and have their way with it, including but not limited to the ability to:

  • Add/remove/confirm email address
  • Add fully privileged users to a business account
  • Change security questions
  • Change billing/shipping address
  • Change payment methods
  • Change user settings (notifications/mobile settings)

In other words, an attacker could have picked an account, exploited the hole, and gone on to install their own contact details and to switch the billing, shipping address and payment methods as they liked.

Via Paulo Félix