PayPal Fixes Vulnerability That Exposed User Email and Password

Cybersecurity specialist Alex Birsan received $15,300 through PayPal’s bug bounty program after discovering a critical vulnerability in PayPal’s authentication process. Birsan explained that the vulnerability was related to how PayPal stored CSRF tokens and session IDs in a JavaScript file, making them accessible to attackers via XSSI (Cross-Site Script Inclusion) attacks. Although an obfuscator was used to randomize names with each request, it was still possible to predict the location of the tokens and extract them.

While session IDs and tokens alone are not useful for direct attacks, Birsan leveraged them to compromise the mechanism that protects PayPal from brute-force attacks. After several failed login attempts, users are required to solve a reCAPTCHA challenge. This page contains nothing but the Google CAPTCHA, and if the challenge is solved successfully, a POST request is sent to /auth/validatecaptcha.

The response to this request is supposed to return the user to the authentication process. It contains a form with all the data entered in the user’s last login attempt, including their email address and password in plain text. To access these credentials, an attacker would need to trick the victim into visiting a malicious website before logging into their PayPal account.

Since the CSRF token and session ID are present in the request body, along with two other tokens, the victim’s credentials can be obtained if all the tokens used in the request are known. One of these unknown tokens fails validation, while another is the recaptcha token provided by Google when solving the reCAPTCHA. The latter is not tied to a session, so any valid token can be used, including those from automated solving services.

Using this information, the researcher created an exploit that first used the XSSI vulnerability to obtain valid tokens from the victim, then attempted brute-force logins to trigger the security mechanism.

Birsan reported the vulnerability to PayPal via the HackerOne platform in November 2019. By December 11, 2019, PayPal developers had released a patch, and Birsan was rewarded $15,300 for discovering the bug.