A High-Severity PayPal Security Vulnerability Was Capable of Exposing Users' Passwords to Hackers

With over 286 million active accounts, PayPal is by far the biggest and most popular payment processor in the world. It has achieved that title not only because it provides a reliable, easy-to-use service, but also because its developers and software engineers have implemented a number of security features that give users the peace of mind they're after when processing online payments. Ironically enough, one of these security features had a bug in it that was capable of leaving users exposed to account takeover attacks.

A security expert discovers a severe PayPal vulnerability

The vulnerability was discovered by Alex Birsan, a Romanian information security consultant and software engineer who also spends time bug hunting. He was poking through PayPal's login process when he noticed a JavaScript file that contained a Cross-Site Request Forgery (CSRF) token and a session ID. Birsan was intrigued.

He mentioned in his public disclosure that leaving this sort of data in a JS file could expose it to hackers. Sure enough, using a technique known as Cross-Site Script Inclusion (XSSI), he put together a scenario in which an attacker would have been able to steal the CSRF token and the session ID from a user who had been tricked into visiting a malicious page.

Initially, Alex Birsan thought that this was terrible news. He assumed that the token and the session ID were enough to impersonate a user. After numerous attempts to take over his own account, however, he realized that a successful attack would require more work. Nevertheless, he pressed on.

The vulnerability hides in a security feature designed to stop brute-force attacks

After more investigation, Birsan found out that the CSRF token and the session ID were actually used by PayPal's CAPTCHA mechanism. CAPTCHA, which stands for Completely Automated Public Turing test to tell Computers and Humans Apart, is one of the simplest forms of protection against brute-force attacks.

Unlike many other online services, PayPal has decided not to include a CAPTCHA challenge below the main login form. Instead, it appears on a blank page after a preset number of failed login attempts. Once the user successfully solves the CAPTCHA challenge, an HTTP POST request is sent to PayPal, which, in addition to the aforementioned CSRF token and session ID, also contains the username and password the user entered during the most recent login attempt in plain text. Some more head-scratching later, Alex Birsan was ready with the proof of concept.

An attacker would first use XSSI to extract the CSRF token and the session ID valid for the user's browser. Then, they would make a few login attempts using random credentials, which would trigger the CAPTCHA challenge. When the user logs into their account using the same browser, the random usernames and passwords would be overwritten by the valid credentials. Then, all an attacker would need is another CAPTCHA token (which can be retrieved relatively easily using a CAPTCHA solving service) to reveal the target's login data in plain text.

PayPal moves quickly to patch the vulnerability

As you can see, finding a way to exploit the bug was hardly a walk in the park. Nevertheless, the proof-of-concept attack showed that if left unattended, the vulnerability could cause severe financial losses to some people, which is why, when Birsan submitted his report through PayPal's bug bounty program on the HackerOne platform, he gave it a high CVSS score.

The first report was sent on November 18, and after 18 days, HackerOne finally validated Birsan's findings. PayPal acknowledged the problem and agreed that it's pretty serious. On December 10, Birsan was awarded a bounty of just over $15,300 (the sum rewarded only for high-severity bugs), and just 24 hours later, the vulnerability was already patched. Birsan described the speed with which PayPal resolved the issue as "impressive" – a praise that is rarely given out nowadays.