PayPal has confirmed a security analyst’s report that a security vulnerability could expose user passwords to a hacker. The researcher, Alex Birsan, reportedly earned a bug bounty of $15,300 for discovering the problem, which was disclosed on January 8. PayPal patched the flaw in early December.
"This is the story of a high-severity bug affecting what is probably one of PayPal’s most visited pages," Birsan wrote in his public disclosure of the vulnerability, "the login form."
After conducting its own investigation, PayPal said "sensitive, unique tokens were being leaked in a JS file used by the recaptcha implementation." In many cases, users are required to solve a CAPTCHA challenge after authenticating their input. PayPal says "the exposed tokens were used in the POST request to solve the CAPTCHA."
After several failed login attempts, the user may no longer answer the CAPTCHA authentication challenge, but Birsan says there was an easy-to-discover work-around.
In its discussion of the security flaw, PayPal said an account would have to follow a link from a malicious site to be tricked into revealing login credentials. But if they did that, the attacker could then complete the security challenge.
"This exposure only occurred," PayPal said, "if a user followed a login link from a malicious site, similar to a phishing page."
PayPal implemented additional controls on the security challenge request to prevent token reuse, which reportedly resolved the issue. The company says no evidence of abuse was found.
The lesson for PayPal users is to be on the lookout for bogus emails from the service. Be very suspicious of an email with a link that purportedly will take you to a website where you are asked to enter your login credentials. In almost every case, that will be a scam.