Paypal Remote Code Execution

CVE-2013-7201, CVE-2013-7202


  • Paypal Remote Code Execution
  • Severity

  • High
  • Affected products

  • Paypal Android Application
  • Affected Versions

  • Paypal<=5.3 & Android <4.2
  • Vendor

  • Paypal
  • Vendor Response

  • Vendor Response
  • Authors

  • Henry Hoggard, MWR Labs
  • CVE Reference

  • SSL Bypass: CVE-2013-7201 Remote Code Execution: CVE-2013-7202
2013-12-23 Sent initials details of bug
2013-12-23 Paypal acknowledges bugs, pointing out that SSL issues are out of scope in their bug bounty
2013-12-29 Paypal request video PoC
2013-12-29 PoC video provided
2014-02-25 Paypal claim no risk to Paypal brand

A vulnerability was discovered on the Paypal Application for Android, the vulnerability allows an attacker to gain code execution via a man in the middle attack.


PayPal for Android allows users to send and receive money on Android, it contains similar features of the web based PayPal application. The PayPal Android app is vulnerable to remote code execution via man in the middle attacks.


Remote code and command execution in the context of the application. The API secrets needed to interact with PayPal’s API are stored in cleartext in the shared preferences file. These could be stolen using this exploit and then used to call methods from the PayPal API.


PayPal uses a webview that ignores SSL certificates, the same webview has a Javascript Interface implemented. The combination of the two bugs allows attackers to man in the middle connections to execute code on the device.

Interim Workaround

Do not use the Paypal android app on public Wi-Fi networks. Update your device to Android 4.2 or later if possible.


Changing from proceed() to cancel() will stop the webview accepting invalid SSL certificates. This will prevent attackers MITM the webview and injecting malicious code.

Public void onReceivedSslError(WebView paramWebView, SslErrorHandler paramSslErrorHandler,
SslError paramSslError)

Technical Details

SSL Bypass

The class implements a webview. If it hits an SSL error, it will continue with the request, rather than displaying an error or killing the connection. This means an attacker can MITM HTTPS requests through this webview.

public void onReceivedSslError(WebView paramWebView, SslErrorHandler paramSslErrorHandler,
SslError paramSslError)

Vulnerable Classes

  • com/paypal/android/choreographer/flows/help/
  • com/paypal/android/choreographer/flows/shop/fragments/
  • com/paypal/android/choreographer/web/

Javascript Code Execution

The WebHybridClient class contains a method that uses a Javascript Interface. This allows an attacker to execute code on the device in the context of the PayPal application in android 4.1 and below.

public View onCreateView(LayoutInflater paramLayoutInflater, ViewGroup paramViewGroup,
Bundle paramBundle)
this.web.addJavascriptInterface(this.mListener, "ppAndroid");
return localView;

It was recently discovered that applications do not even need to have a Javascript Interface in their code to be vulnerable to this attack. This is because a Javascript Interface is implemented core webview code in Android versions before 4.2. Meaning that every single application that loads a webview over cleartext is vulnerable to this attack.