PayPal has confirmed a security analyst’s report that a security vulnerability could expose user passwords to a hacker. The researcher, Alex Birsan, reportedly earned a bug bounty of $15,300 for discovering the problem, which was disclosed on January 8. PayPal patched the flaw in early December.
"This is the story of a high-severity bug affecting what is probably one of PayPal’s most visited pages," Birsan wrote in his public disclosure of the vulnerability, "the login form."
Birsan said he discovered the security breach when he was examining the main authentication flow on the PayPal site. He noticed that a JavaScript (JS) file looked odd, containing what appeared to be a cross-site request forgery (CSRF) token and a session ID.
That was serious, Birsan said, because giving up any kind of session data inside a valid javascript file “usually allows it to be retrieved by attackers."
PayPal probe
After conducting its own investigation, PayPal said "sensitive, unique tokens were being leaked in a JS file used by the recaptcha implementation." In many cases, users are required to solve a CAPTCHA challenge after authenticating their input. PayPal says "the exposed tokens were used in the POST request to solve the CAPTCHA."
After several failed login attempts, the user may no longer answer the CAPTCHA authentication challenge, but Birsan says there was an easy-to-discover work-around.
In its discussion of the security flaw, PayPal said an account would have to follow a link from a malicious site to be tricked into revealing login credentials. But if they did that, the attacker could then complete the security challenge.
"This exposure only occurred," PayPal said, "if a user followed a login link from a malicious site, similar to a phishing page."
PayPal implemented additional controls on the security challenge request to prevent token reuse, which reportedly resolved the issue. The company says no evidence of abuse was found.
The lesson for PayPal users is to be on the lookout for bogus emails from the service. Be very suspicious of an email with a link that purportedly will take you to a website where you are asked to enter your login credentials. In almost every case, that will be a scam.