Hacker Exposes High-Security Bug to PayPal

Hacker Exposes High-Security Bug to PayPal


Alex Birsan, a security researcher, found a high-security bug on PayPal’s login page, where users’ password information can get exposed. PayPal awarded Mr. Birsan $15,300 for discovering the bug, and PayPal immediately remedied the problem by releasing a patch within 24 hours. This comes as a huge relief as patches for many security vulnerabilities may take months. PayPal is a highly sought financial platform for malicious actors. By gaining access to users’ accounts, it will easily allow them to “cash out” or “card” their accounts, as there are plenty of “how to” guides on sale that detail the steps to do so.

So what exactly was the vulnerability that would compromise users’ password information?

While Mr. Birsan was looking through PayPal’s main authentication page, he noticed that a JavaScript file, which is used to run the JavaScript language on the client user-side of the webpage, contained what looked like a cross-site request forgery (CSRF) token and session ID. The CSRF token is a computer security feature added to a web form to make sure the client requesting access is actually loading the form by preventing cross-site request forgeries with the random, hard-to-guess CSRF token. However, Mr. Birsan explained that “providing any kind of session data inside a valid JavaScript file usually allows it to be retrieved by attackers. In what is known as a cross-site script inclusion (XSSI) attack, a malicious web page can use an HTML <script> tag to import a script cross-origin, enabling it to gain access to any data contained within the file.”

PayPal looked into the issue and confirmed that there was a bug in their login form where the unique tokens were being leaked by the JavaScript file used by a recaptcha implementation.

While PayPal informed that taking advantage of such a vulnerability would require sophisticated attack strategies – through social engineering and phishing – and that they continuously work on addressing vulnerabilities they come across, they are also aware that many organizations and clients lack the security awareness and security experts, even if they have the budget for it. It is clear that having cybersecurity management measures in place on all ends to prevent such commonly-made, sophisticated attacks are more important than ever so that all businesses and activities run smoothly and confidently.



LIFARS Secure Code Review Can Identify  Security Gaps within Your Code

LIFARS Is Offering Free 30 min Consultation 

Get in Touch with a LIFARS Expert Today To Take Advantage of These Services