PayPal's CSRF vulnerability to change phone numbers
In 2013, I disclosed a very serious CSRF vulnerability to the online payment giant PayPal. This vulnerability allowed a malicious attacker to silently change the number of a PayPal user, thus aiding the attacker to take over the account through the password reset option.
Well, I was checking my PayPal balance sheet back then and as soon as I tried to log into the web application of PayPal, I was prompted with an option to add and confirm a number with my PayPal account as seen in the following screenshot:
As soon as I clicked on Send Code a one-time password was received on my number, and looking at my account settings page I saw the number was changed to the newer one which I requested the code for, even though I didn't submit the OTP to PayPal.
The most shocking thing was the fact that the request, which was sent to PayPal after click Send Code, had no anti-CSRF token or protection of any kind. This meant it was vulnerable to a CSRF vulnerability...
