PayPal has confirmed a bug in its website that could expose users’ email addresses and passwords. Considering the seriousness of the vulnerability, PayPal even awarded a $15K bounty to the researcher for reporting the flaw.
Researcher Alex Birsan found a serious bug in the PayPal website. As described in his blog post, the vulnerability existed in the login form of PayPal. Hence, it posed a serious threat to the integrity of users’ data.
According to the researcher, he found a CSRF token and session ID in PayPal’s main authentication flow. His testing attempts made him realize the system’s resilience to classic CSRF attacks. However, further digging around revealed a bug in PayPal’s security challenge – a protection mechanism against brute force attacks.
In brief, he found that the problem existed with the reCAPTCHA challenge implemented on the login form which comes into action after a few failed login attempts. As stated in his post,
The request body already contained “familiar
_sessionID”. Completing the validation request then landed the user to the authentication flow with a self-submitting form that included the user’s email address and password in plain text.
Birsan has also shared the proof-of-concept for the exploit in his post.