PayPal has confirmed a bug in its website that could expose users’ email addresses and passwords. Considering the seriousness of the vulnerability, PayPal even awarded a $15K bounty to the researcher for reporting the flaw.
PayPal Bug Exposing Credentials Researcher Alex Birsan found a serious bug in the PayPal website. As described in his blog post, the vulnerability existed in the login form of PayPal. Hence, it posed a serious threat to the integrity of users’ data. According to the researcher, he found a CSRF token and session ID in PayPal’s main authentication flow. His testing attempts made him realize the system’s resilience to classic CSRF attacks. However, further digging around revealed a bug in PayPal’s security challenge – a protection mechanism against brute force attacks.
In brief, he found that the problem existed with the reCAPTCHA challenge implemented on the login form which comes into action after a few failed login attempts.
As stated in his post, Upon detecting a possible brute-force attempt, the response to the next authentication attempt is a page containing nothing but a Google captcha. If the captcha is solved by the user, an HTTP POST request to /auth/validatecaptcha is initiated.
The request body already contained “familiar _csrf and _sessionID”. Completing the validation request then landed the user to the authentication flow with a self-submitting form that included the user’s email address and password in plain text.
I realized that, with the correct timing and some user interaction, knowing all the tokens used in this request was enough to get the victim’s PayPal credentials. In a real-life attack scenario, the only user interaction needed would have been a single visit to an attacker-controlled web page.
Birsan has also shared the proof-of-concept for the exploit in his post. Researcher Won $15K Bounty Upon finding the bug, the researcher collaborated with PayPal via their HackerOne bounty program. As revealed through the HackerOne report, Birsan found this vulnerability in November 2019. Then, with continued communication, PayPal eventually resolved the bug in December 2019. And, the disclosure came just recently.
As confirmed by PayPal, A bug was identified whereby sensitive, unique tokens were being leaked in a JS file used by the recaptcha implementation… PayPal implemented additional controls on the security challenge request to prevent token reuse, which resolved the issue, and no evidence of abuse was found.
PayPal has not only confirmed the presence of the bug but has also awarded a bounty of $15,300 to the researcher.