According to PayPal’s summary of the problem, if users had entered their PayPal credentials after following a login link from a malicious site, hackers could have completed the security challenge on their own and got hold of users’ passwords.
PayPal admitted that someone discovered a possible severe security breach that could lead to the exposure of user passwords to a hacker. Alex Birsan, who discovered the breach, earned a bug bounty worth $15,300 for reporting the problem. The vulnerability itself was disclosed on January 8 and has since been repaired.
In his public disclosure, Birsan wrote that this “is the story of a high-severity bug affecting what is probably one of PayPal’s most visited pages,” referring to the login form.
While exploring the main authentication flow at PayPal, Birsan’s attention was drawn to the fact that a JavaScript (JS) file contained something resembling a cross-site request forgery (CSRF) token and a session ID.
He wrote:
“Providing any kind of session data inside a valid javascript file usually allows it to be retrieved by attackers.”
PayPal Confirms Password Vulnerability
PayPal admitted that “sensitive, unique tokens were being leaked in a JS file used by the recaptcha implementation.” PayPal noted that “the exposed tokens were used in the POST request to solve the CAPTCHA.”
The prospects were numerous failed login attempts that initiate the reCAPTCHA authentication challenge. That was actually fine until you realize that, as Birsan explained, “the response to the next authentication attempt is a page containing nothing but a Google captcha. If the captcha is solved by the user, an HTTP POST request to /auth/validatecaptcha is initiated.”
PayPal confirmed that a user would then need to go to another (malicious) site and enter their PayPal credentials. The attacker could then complete the security challenge, which then produced an authentication request replay to show the password. PayPal explained that this exposure only occurred if a user would follow a login link from a malicious site.
PayPal Fixed Mistake in Less than 24 Hours
Birsan submitted his proof of concept of everything he found to PayPal, through the HackerOne bug bounty platform, on November 18, 2019. The abuse was confirmed by HackerOne after 18 days. Within 24 hours, PayPal patched vulnerability.
HackerOne is a widely recognized bug bounty platform that connects ethical hackers with organizations that pay them money for nay vulnerabilities or mistakes found in their software, services or products. Those rewards can be really profitable. There is an example of six HackerOne hackers earning themselves more than $1 million (£764,000) each from the platform. Another hacker even managed to hack the HackerOne platform itself and earned himself $20,000 (£15,250) in so doing (that sounds really too little if you’d ask us).
Want a New Tesla? Hack it!
Birsan, on the other hand, didn’t get quite as much for finding the high-rated PayPal vulnerability, but it is what it is. We think that the awards for this kind of acts should be more empowering and bigger while it would encourage ethical hackers to try even more to find possible security breaches.
Tesla might be a good example. Anyone who can hack a Tesla Model 3 electric car at the Pwn2Own hacking contest in March could pick up $700,000 and a brand new Tesla Model 3. And, if you hack the iPhone, Apple gives you an award of a $1.5 million. Well, that’s more like it.
next