An eBay/PayPal sign-out vulnerability
Nearly everyone uses PayPal to make payments on eBay. It is convenient and eBay practically requires PayPal nowadays.
PayPal is also owned by eBay, but the two sites maintain their own separate membership and authentication mechanisms. There is no single-sign-on (SSO) functionality between the two domains, meaning that users must be signed-into both of their separate eBay and PayPal accounts in order to complete an eBay checkout process using PayPal.
Not having SSO functionality is a perfectly acceptable design choice. End-users are generally inconvenienced when they must submit multiple logins to perform what seems like one, single task. The repeated logins when entering a checkout scenario are a very obvious clue to the user that they are creating multiple secured sessions.....
This is not a new defect, either. A few years ago, fellow QA Engineer, Chris Loye, pointed it out to me shortly after eBay bought PayPal. However, at that time, eBay included a "Click Here to sign-out of PayPal" link on their sign-out page. For some reason this link was removed.
Anyway, next time you pay for an eBay auction using PayPal, try this out...
Steps to recreate
- 1. Launch any web browser, and delete all temporary browsing history, cookies, cache, etc.
- 2. Go to eBay.com, and click 'My eBay'.
- 3. Sign-in to your eBay account and identify an auction win that needs to be paid.
- 4. Select PayPal as your form of payment, and sign-in to your PayPal account when prompted.
- 5. Complete the PayPal transaction workflow.
- 6. Now that your transaction is complete, you are brought back to eBay.
- 7. Click the 'sign-out' link to sign-out of eBay. The signout confirmation reads, "You've signed out. See you again soon!"
- 8. Now, in the same browser window, navigate to PayPal.com by entering "www.paypal.com" in your browser's address bar.
- 9. Click 'My Account' on the PayPal page.
Result
Notice that you were still signed-in to PayPal, after signing-out of eBay. Most users would have assumed this would happen, because after all, a separate PayPal login was required to complete the checkout process. So being still signed-in to PayPal after leaving eBay is technically not a bug, because of the way that both sites created separate secured sessions.
Leaving the session open makes unaware PayPal users' accounts vulnerable to unauthorized access. Specifically, those users who do not take the extra step of signing-out of PayPal after completing an eBay transaction, and who also leave their browser open (closing the browser will expire the session, too)
An attacker would not need to know the victim's PayPal password - they would simply wait for an opportunity to take advantage of the user's still-open session. One major mitigating factor is PayPal's short inactivity timeout, which automatically expires the user's session after a few idle minutes. But, even though the window of opportunity for an attacker would be very short. the vulnerability still exists.
Expected Result
Since no SSO functionality exists, it would not be possible to simply expire the PayPal session automatically when the user signs-out of eBay.
An alternate approach would be for eBay to present a message to PayPal users on their sign-out page that reminds them that they are still signed-in to PayPal, with a link to sign-out from there, too. At least this would make it more apparent to users that they need to sign-out separately.
