The main PayPal web site sets a cookie named "aksession" which contains a blob of base64-encoded ciphertext. This ciphertext is encrypted using a 64-bit block cipher in CBC mode and does not have any other integrity protection. Naturally, this means the aksession cookie is vulnerable to a padding oracle attack allowing full decryption and forgery. Here's an example of an aksession cookie: 1371856787~id=cookieMOF13DX8hKxMUVKWTDJ4Mp6lam2TdbUs44BJ7iduOubp9+zII2ZAWPz9C9HM3GQDGNhUPxyHZ9eHF9kkF6BYdLaRYxMIpGlMYgobM+FYnB8//iMqth8sT/wrigUy4jnV1OLnkkE2g4x= The ciphertext begins immediately after the "cookie" string. The base64 value's first 8 bytes is the random initialization vector. The decrypted plaintext contains: expiretime=1371856787&sessionip=61.183.192.0&strategy=0&scriptid=&challenge=0&seedid=PRI This flaw currently still exists in the PayPal site. PayPal was notified through their bug bounty program, but they determined that this flaw is "invalid" and does not deserve a bounty. They said it would be fine to publish it. To be fair, this cookie does indeed contain no sensitive information. However, I think it may be a bit short-sighted of PayPal to discount this issue, since there are several potentially interesting parameters in the plaintext that could be forged by an attacker. I have only ever observed plaintext values like the one above (that is, with several parameters blank or "0"), so I can't tell for sure what they are used for. PayPal never confirmed for me whether or not they investigated attack scenarios involving modification of the parameters. (In general, their responses were incredibly terse and unhelpful.) I've decided it isn't worth more of my time trying to fuzz these parameters, but perhaps someone else will get lucky. I figured I could at least use this issue as an educational opportunity-- I've created a short video which demonstrates how to identify and exploit this problem using the Bletchley[1] took kit: http://youtu.be/qqNgcc9v_DQ If you are interested in learning more, note that I'll be giving a 2-day training course[2] at AppSecUSA 2013 which will cover exploitation of a wide variety of common cryptography implementation problems, including padding oracle flaws. Finally, for those keeping score, here's a disclosure timeline: 2013-06-22 Initial notification with vulnerability details 2013-06-24 Form-letter response from PayPal 2013-06-28 Sent follow up with exploit script. 2013-07-12 Asked for an update from PayPal. PayPal responded that the evaluation is still "in process". 2013-07-15 PayPal indicated that the bug is not eligible for a bounty because: "This cookie doesnt contain any sensitive information." 2013-07-15 Responded to PayPal urging them to investigate the possibility of malicious modification of parameters within the cookie, since doing this exhaustively in a black box way requires a great deal of effort. 2013-08-06 After being ignored in the prior email, asked PayPal if it would be ok to publish this flaw. 2013-08-07 PayPal responded with: "This bug does not contain any sensitive data and we have determined it is invalid. You may publish your findings regarding this bug." Enjoy, tim @ecbftw 1. https://code.google.com/p/bletchley/ 2. http://sched.co/19n00R5