Breaking News

Samsung Display to Introduce First 90Hz OLED Laptop Display addlink launch P20 Portable SSD speed of up to 1050MB/s aKASA announces RGB controllers the new SOHO and VEGAS XL A Brief History of the Galaxy S Series’ Camera Technologies Samsung Introduces the 870 EVO SATA SSD Series

logo

  • Share Us
    • Facebook
    • Twitter
  • Home
  • Home
  • News
  • Reviews
  • Forum
  • Legacy
  • About
    • Submit News

    • Contact Us
    • Privacy

    • Promotion
    • Advertise

    • RSS Feed
    • Site Map

Search form

Paypal Patches High-severity Password Vulnerability

Paypal Patches High-severity Password Vulnerability

Enterprise & IT Jan 10,2020 0

PayPal has confirmed that a researcher found a high-severity security vulnerability that could expose user passwords to an attacker.

The researcher, Alex Birsan, earned a bug bounty of $15,300 for reporting the problem, which was disclosed January 8 having been patched by PayPal on December 11, 2019.

The bug affecting what is probably one of PayPal’s most visited pages: the login form.

Birsan discovered the high-severity vulnerability when he was "exploring" the main authentication flow at PayPal. His attention was drawn to the fact that a JavaScript (JS) file contained what looked like a cross-site request forgery (CSRF) token and a session ID. "Providing any kind of session data inside a valid javascript file," Birsan said, "usually allows it to be retrieved by attackers."

"A bug was identified whereby sensitive, unique tokens were being leaked in a JS file used by the recaptcha implementation. In certain cases, a user must solve a CAPTCHA challenge after authenticating. When the security challenge is completed, the authentication request is replayed to log in. The exposed tokens were used in the POST request to solve the CAPTCHA," Paypal said, confirming Birsan's findings.

"The researcher identified a method by which a user, starting from a malicious site, could expose the security challenge token to a third party via a cross-site script inclusion (XSSI) attack. If the user then followed a login link from the malicious site and entered their credentials, the malicious third party could complete the security challenge, triggering the authentication request replay and exposing the user's password. This exposure only occurred if a user followed a login link from a malicious site, similar to a phishing page."

The proof of concept, along with all relevant information, was submitted to PayPal’s bug bounty program on the 18th of November 2019, and was validated by HackerOne 18 days later.

A patch was applied around 24 hours later, meaning that the bug was fixed only five days after PayPal became aware of it — quite an impressive turnaround time.

PayPal said it implemented additional controls on the security challenge request to prevent token reuse, which resolved the issue, and that "no evidence of abuse was found."

Tags: PaypalbugsCybersecurity
Previous Post
Youtube Implements New Measures to Better Protect Kids’ Privacy, Combat Harassment
Next Post
ZOTAC At CES 2020

Related Posts

  • Intel Confirms "Thunderspy" Risk in Thuerbolt Devices

  • Microsoft Offers You $100,000 If You Can Hack the Linux-based Azure Sphere

  • Apple Says 'No Evidence' iPhone Mail Bug Used Against Consumers

  • Malwarebytes Introduces VPN Service

  • Google Says State-backed Hackers Use Coronavirus For Phishing Attacks

  • Apple to Patch Serious iOS Vulnerability

  • Apple is The Most Imitated Brand For Phishing in Q1 2020

  • Microsoft Shares Threat Intelligence During Global Crisis

Latest News

Samsung Display to Introduce First 90Hz OLED Laptop Display
Enterprise & IT

Samsung Display to Introduce First 90Hz OLED Laptop Display

addlink launch P20 Portable SSD speed of up to 1050MB/s
PC components

addlink launch P20 Portable SSD speed of up to 1050MB/s

aKASA announces RGB controllers the new SOHO and VEGAS XL
PC components

aKASA announces RGB controllers the new SOHO and VEGAS XL

A Brief History of the Galaxy S Series’ Camera Technologies
Smartphones

A Brief History of the Galaxy S Series’ Camera Technologies

Samsung Introduces the 870 EVO SATA SSD Series
PC components

Samsung Introduces the 870 EVO SATA SSD Series

Popular Reviews

CeBIT 2005

CeBIT 2005

Zidoo Z9S 4K Media Player review

Zidoo Z9S 4K Media Player review

CeBIT 2006

CeBIT 2006

LiteOn iHBS112 review

LiteOn iHBS112 review

Club3D HD3850

Club3D HD3850

Crucial P1 NVMe 1TB SSD review

Crucial P1 NVMe 1TB SSD review

Toshiba Exceria M303 64GB and M501 Exceria Pro 64GB MicroSDXC review

Toshiba Exceria M303 64GB and M501 Exceria Pro 64GB MicroSDXC review

Hitachi DZ-MV100A DVD Camcorder

Hitachi DZ-MV100A DVD Camcorder

  • Home
  • News
  • Reviews
  • Forum
  • Legacy
  • About
    • Submit News

    • Contact Us
    • Privacy

    • Promotion
    • Advertise

    • RSS Feed
    • Site Map
  • About
  • Privacy
  • Contact Us
  • Promotional Opportunities @ CdrInfo.com
  • Advertise on out site
  • Submit your News to our site
  • RSS Feed