PayPal Confirms ‘High-Severity’ Password Security Vulnerability

PayPal has confirmed researcher discovered a high-severity safety vulnerability that might expose person passwords to an attacker. The researcher, Alex Birsan, earned a bug bounty of $15,300 (£11,700) for reporting the issue, which was disclosed January eight having been patched by PayPal on December 11, 2019.

Hacker explores PayPal login kind, finds an enormous downside

“This is the story of a high-severity bug affecting what is probably one of PayPal’s most visited pages,” Birsan wrote in his public disclosure of the vulnerability, “the login form.”

Birsan found the high-severity vulnerability when he was “exploring” the principle authentication circulation at PayPal. His consideration was drawn to the truth that a JavaScript (JS) file contained what regarded like a cross-site request forgery (CSRF) token and a session ID. “Providing any kind of session data inside a valid javascript file,” Birsan stated, “usually allows it to be retrieved by attackers.”

PayPal confirms high-severity password vulnerability

PayPal confirmed that, “sensitive, unique tokens were being leaked in a JS file used by the recaptcha implementation.” In sure circumstances, customers have to resolve a CAPTCHA problem after authenticating, and PayPal famous that “the exposed tokens were used in the POST request to solve the CAPTCHA.” The circumstances being a number of failed login makes an attempt that kick off the reCAPTCHA authentication problem. Which is OK, till you notice that, as Birsan defined, “the response to the next authentication attempt is a page containing nothing but a Google captcha. If the captcha is solved by the user, an HTTP POST request to /auth/validatecaptcha is initiated.”

Sophisticated assault technique required

Not that the assault methodology was easy, however risk actors usually are not afraid of subtle methods if the potential payout is value it. I feel we will all agree that entry to a PayPal account falls into the “worth it” class.

PayPal confirmed person would wish to comply with a login hyperlink from a malicious web site and enter their PayPal credentials. The attacker might then full the safety problem, which might set off an authentication request replay to reveal the password. “This exposure only occurred,” PayPal stated, “if a user followed a login link from a malicious site, similar to a phishing page.”

As Birsan stated, nevertheless, within the real-world of the social engineering assault, “the only user interaction needed would have been a single visit to an attacker-controlled web page.”

PayPal patches password vulnerability

Birsan submitted his proof of idea of all of the above to PayPal, through the HackerOne bug bounty platform, on November 18, 2019. The exploit was validated by HackerOne 18 days later, and Birsan acquired his bounty fee on December 10.

Within 24 hours, PayPal had patched the vulnerability.

PayPal stated that it “implemented additional controls on the security challenge request to prevent token reuse, which resolved the issue, and no evidence of abuse was found.”

Hacking for money and kudos

HackerOne is a vastly fashionable bug bounty platform that connects moral hackers with organizations that pay rewards for vulnerabilities which might be discovered of their software program, companies or merchandise. Those rewards might be extraordinarily profitable, as I revealed not too long ago after I wrote about six HackerOne hackers who had made greater than $1 million (£764,000) every from the platform. One hacker even managed to hack the HackerOne platform itself and earned himself $20,000 (£15,250) in so doing. Security researcher Alex Birsan did not get fairly as a lot for locating the high-rated PayPal vulnerability, but it surely was nonetheless a good sufficient payday. Not as massive because the reward on provide for anybody who can hack a Tesla Model three electrical automotive although. The hacker who meets that problem on the Pwn2Own hacking contest in March might choose up $700,000 (£535,000) and a model new Tesla Model three for good measure. Even that pales into insignificance in comparison with the $1.5 million (£1,145,000) that Apple has confirmed for hacking the iPhone.

Source link

Get more stuff like this

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Leave a Reply

Your email address will not be published. Required fields are marked *

Get more stuff like this
in your inbox

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.