PayPal Confirms that User Authentication Tokens have Leaked

  • Users of PayPal could have had their accounts taken over by malicious actors on specially crafted websites.
  • The method of attack involves a series of deliberate erroneous authentication attempts and the stealing of user tokens.
  • PayPal blundered by leaving the user’s credentials in plaintext form in the browser’s cache.

Researcher Alex Birsan has found a bug in PayPal which enables an attacker to retrieve CSRF tokens and session IDs and to perform XSSI attacks against users of the platform. The repercussions of this include the stealing of authentication tokens, and although cross-site forgery attacks are still not possible, there’s another way in. The researcher discovered that after a few failed login attempts, you are required to solve a reCAPTCHA on PayPal. This can be used by the attacker to tap onto the authentication flow and using the token, one could read the victim’s email and password in plain-text form.

token grab
Source: Medium

Birsan earned $15300 for this discovery which occurred back on November 18, 2019, and PayPal patched the bug on December 11, 2019. However, the fact that some unique tokens have been leaked, which could have led to account takeovers. A common method to trick someone into falling victim to this would be to convince them to follow a login link from a malicious website, something similar to a standard phishing web page. If the victim lands there, the website could simulate a brute force attempt by launching a series of random authentication requests, triggering the reCAPTCHA step, obtaining a fresh token, and finally retrieving the plaintext credentials.

Source: Medium

All that said, what the users had to do in order to stay safe was avoid following a PayPal login link from a malicious website. If they did, they should at least avoid entering their PayPal credentials on the landing page. Considering that malicious websites are hard to identify sometimes, and with the bug fixed now, that’s all there is to this story for now. Whether or not there has been actual exploitation of this in the real world has not been clarified. As the researcher points out, PayPal could have mitigated the risk by simply never storing the password in plaintext form in the cache, which is a basic precautionary measure really.

PayPal is continuously running bug bounty programs on HackerOne, paying $20000 for critical vulnerabilities, $10000 for high severity bugs, $1000 for medium, and $100 for low. The vulnerability that is described above came into light thanks to bug bounty programs like this, which highlights the importance of providing incentives for security experts to dig deeper and figure out potential ways to attack the users of the platform. So far, PayPal has paid over two million US dollars for 856 researcher reports.


Recent Articles

Multiple Flaws in Apache Guacamole Leave Sour Taste for Corporate Networks

Check Point warns about an exploit chain leading “full network control” attack against corporate networks. The discovered flaws concern the FreeRDP 2.0.0...

Massive “V Shred” Data Breach Exposes More Than 99,000 Customers

“V Shred” has left an unprotected database online, exposing the sensitive details of 99,000 clients. The data that has leaked includes names,...

TrickBot Malware Has Updated Itself With Anti-Analysis Features

TrickBot is now checking what resolution it’s running on and stops if it’s an unusually low setting. The notorious trojan is checking for...

Top Selfie Beautification Apps Available in India Right Now

The ax of the Indian government has cut even the popular selfie beautification image apps “YouCan Makeup,” “Selfie City,” and “Meitu,” in the context...

Top 5 Alternatives for the “DU Battery Saver” That Was Banned in India

Due to the recent ban of 59 Chinese apps imposed by the Indian government, the “DU Battery Saver” has been blocked in the country....