Security News > 2020 > January > PayPal Patches Vulnerability That Exposed User Passwords
A researcher has earned over $15,000 from PayPal for reporting a critical vulnerability that could have been exploited by hackers to obtain user email addresses and passwords.
Identified while analyzing PayPal's main authentication flow, the issue was related to PayPal placing cross-site request forgery tokens and the user session ID in a JavaScript file, thus making them retrievable by attackers via cross-site script inclusion attacks.
The researcher discovered that the CSRF token and session ID are present in the request body, along with two other tokens, and concluded that the victim's PayPal credentials could be retrieved if all the tokens used in the request were known.
The value of one of these unknown tokens is not validated, while the other is recaptcha, the token provided by Google upon solving a reCAPTCHA challenge, which was not tied to the session, meaning that any valid token, including one from an automated solving service, could be used instead. Birsan created code that would exploit the initial XSSI vulnerability to retrieve valid tokens from the victim's session, then simulate a brute-force attempt to trigger the security challenge flow.
In order to obtain the credentials, an attacker would need to convince the targeted user to visit a malicious website before the user logged in to their PayPal account.