The American worldwide online payment system giant PayPal recently confirmed that a security researcher discovered a high-severity security vulnerability that could expose users' passwords to attackers. Researcher Alex Brain earned a bug bounty of around $15,300 or £11,700 for reporting the issue. The vulnerability disclosed to the public on Jan. 8, 2020, has been patched by PayPal on Dec. 11, 2019.
Brian said in his public disclosure of the vulnerability, called The Login Form, the story of a high-severity bug affecting what is perhaps one of the most visited pages of PayPal. The researcher discovered the issue when he was exploring the main authentication flow of the worldwide online payments system. His attention was caught by a JavaScript file that contained what appears like a cross-site request forgery or CSRF token as well as a session ID.
According to the researcher, providing any type of session data within a valid javascript file usually enables it to be retrieved by attackers or hackers. PayPal confirmed the high-severity password vulnerability. The company said that sensitive, unique tokens were leaked in a JavaScript file utilizes by the recaptcha implementation. In some circumstances, users need to solve a CAPTCHA challenge after authenticating.
According to PayPal, the exposed tokens were utilized in the post request to solve the Captcha challenge. The circumstances involve multiple failed login attempts that trigger the reCAPTCHA authentication challenge. While this may appear okay, users who later learn about the vulnerability will realize that it isn't.
The researcher explained that the response to the next authentication attempt is a page that contains nothing else but Google captcha. If the captcha is solved, an HTTP Post request to /auth/validatecaptcha is triggered. While the method of attack was straightforward, threat actors and attackers are not afraid of complex strategies if the payout is worth it.
PayPal also revealed that a user would be required to follow a login link from a malicious site and key in their credentials. The attackers could finish the security challenge themselves, which would deploy an authentication request replay to reveal the password. The exposure only happened when a user goes to the malicious site provided by a login link, which is similar to a phishing page, according to PayPal.
However, in the real world of social engineering attack, the only user interaction required would be a single visit to an attacker-owned web page, reveals the researcher. Birsan submitted his proof of concept to PayPal through the HackerOne bounty platform on Nov. 18, 2019. HackerOne validated the exploit 18 days later, and the researcher received his bounty reward on Dec. 10, 2019. PayPal patched the vulnerability within 24 hours after learning about it.
