PayPal has confirmed that a researcher found a high-severity security vulnerability that could expose user passwords to an attacker. The researcher, Alex Birsan, earned a bug bounty of $15,300 (£11,700) for reporting the problem, which was disclosed January 8 having been patched by PayPal on December 11, 2019.
Hacker explores PayPal login form, finds a big problem
“This is the story of a high-severity bug affecting what is probably one of PayPal’s most visited pages,” Birsan wrote in his public disclosure of the vulnerability, “the login form.”
Birsan discovered the high-severity vulnerability when he was “exploring” the main authentication flow at PayPal. His attention was drawn to the fact that a JavaScript (JS) file contained what looked like a cross-site request forgery (CSRF) token and a session ID. “Providing any kind of session data inside a valid javascript file,” Birsan said, “usually allows it to be retrieved by attackers.”
PayPal confirms high-severity password vulnerability
PayPal confirmed that, “sensitive, unique tokens were being leaked in a JS file used by the recaptcha implementation.” In certain circumstances, users have to solve a CAPTCHA challenge after authenticating, and PayPal noted that “the exposed tokens were used in the POST request to solve the CAPTCHA.” The circumstances being several failed login attempts that kick off the reCAPTCHA authentication challenge. Which is OK, until you realize that, as Birsan explained, “the response to the next authentication attempt is a page containing nothing but a Google captcha. If the captcha is solved by the user, an HTTP POST request to /auth/validatecaptcha is initiated.”
Sophisticated attack strategy required
Not that the attack methodology was straightforward, but threat actors are not afraid of sophisticated strategies if the potential payout is worth it. I think we can all agree that access to a PayPal account falls into the “worth it” category.
PayPal confirmed that a user would need to follow a login link from a malicious site and enter their PayPal credentials. The attacker could then complete the security challenge, which would trigger an authentication request replay to expose the password. “This exposure only occurred,” PayPal said, “if a user followed a login link from a malicious site, similar to a phishing page.”
As Birsan said, however, in the real-world of the social engineering attack, “the only user interaction needed would have been a single visit to an attacker-controlled web page.”
PayPal patches password vulnerability
Birsan submitted his proof of concept of all the above to PayPal, via the HackerOne bug bounty platform, on November 18, 2019. The exploit was validated by HackerOne 18 days later, and Birsan received his bounty payment on December 10.
Within 24 hours, PayPal had patched the vulnerability.
PayPal said that it “implemented additional controls on the security challenge request to prevent token reuse, which resolved the issue, and no evidence of abuse was found.”
Hacking for cash and kudos
HackerOne is a hugely popular bug bounty platform that connects ethical hackers with organizations that pay rewards for vulnerabilities that are found in their software, services or products. Those rewards can be extremely lucrative, as I revealed recently when I wrote about six HackerOne hackers who had made more than $1 million (£764,000) each from the platform. One hacker even managed to hack the HackerOne platform itself and earned himself $20,000 (£15,250) in so doing.
Security researcher Alex Birsan didn’t get quite as much for finding the high-rated PayPal vulnerability, but it was still a decent enough payday. Not as big as the reward on offer for anyone who can hack a Tesla Model 3 electric car though. The hacker who meets that challenge at the Pwn2Own hacking contest in March could pick up $700,000 (£535,000) and a brand new Tesla Model 3 for good measure. Even that pales into insignificance compared to the $1.5 million (£1,145,000) that Apple has confirmed for hacking the iPhone.
Follow me on Twitter or LinkedIn. Check out my website.
I’m a three-decade veteran technology journalist and have been a contributing editor at PC Pro magazine since the first issue in 1994. A three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) I was also fortunate enough to be named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro called ‘Threats to the Internet.’ In 2011 I was honored with the Enigma Award for a lifetime contribution to IT security journalism. Contact me in confidence at davey@happygeek.com if you have a story to reveal or research to share.
Source: PayPal Confirms ‘High-Severity’ Password Security Vulnerability
