Paypal bug bounty: Updating the Paypal.me profile picture without consent (CSRF attack)

As you may know, you can upload a picture to paypal.com. Until recently this picture was pretty useless, but now it is displayed on you paypal public page.

Paypal.me is a public page linked to your Paypal account that offers an easy way to receive/send money. For instance mine is there. If I need to send some money to one of my friends, I go to its page, choose the amount and submit. You can use this page as a convenient way to accept donations.

There are two different websites, paypal.me and paypal.com. On paypal.me your are able to manage a reduced list of settings for your page such as the picture displayed, the background color, ... On paypal.com you are able to manage your personal information such as your address, phone number, ... but also your profile picture. The same picture is used in both places.

Using BURP I ran a quick test on paypal.me to check if there was any CSRF vulnerabilities. Nothing. I decided to also check on paypal.com without much hope. I found out that when removing or editing the CSRF token (http header in that case) there was no error and the profile picture was updated. I tried a real world scenario using the basic HTML page.

<iframe style="display:none" name="csrf-frame"></iframe>  
<form method='POST' action='https://www.paypal.com/myaccount/settings/photo' target="csrf-frame" id="csrf-form">  
  <input type='hidden' name='photo' value='data:image/jpeg;base64,[base 64 encoded image here]'>
</form>  
<script>document.getElementById("csrf-form").submit()</script>  

Thanks to some missing headers such as X-Frame-Options: DENY it was possible to transparently submit the form without redirection.

The result was an error 500 due to a missing header X-Requested-With:XMLHttpRequest. Even if this header is not a good protection against CSRF, it is hard to exploit (besides some genius). Fortunately, despite the error, the picture was still updated.

Using this vulnerability it was possible to update the profile picture of a paypal.me user without consent after him/her following your link.

The bug has been fixed and a $750 bounty has been paid.

I made a quick video for the Paypal team, it brings nothing but nonetheless I put it here.