A researcher has earned over $15,000 from PayPal for reporting a critical vulnerability that could have been exploited by hackers to obtain user email addresses and passwords.
Identified while analyzing PayPal’s main authentication flow, the issue was related to PayPal placing cross-site request forgery (CSRF) tokens and the user session ID in a JavaScript file, thus making them retrievable by attackers via cross-site script inclusion (XSSI) attacks.
An obfuscator was used to randomize variable names on each request, but one could still predict where interesting tokens are located, and then retrieve them, security researcher Alex Birsan explains.
And while the CSRF tokens and session ID could not be used to launch direct attacks, the researcher discovered a way to leverage them in an assault targeting the security challenge used by PayPal as a protection mechanism against brute force attacks.
After several login attempts, the user is required to solve a reCAPTCHA challenge before continuing. The page the user is served contains nothing but a Google CAPTCHA and, if the challenge is solved successfully, an HTTP POST request to /auth/validatecaptcha is initiated.
“The response to the captcha validation request is meant to re-introduce the user into the authentication flow. To this end, it contains a self-submitting form with all the data provided in the user’s latest login request, including their email and plain text password,” Birsan explains.
In order to obtain the credentials, an attacker would need to convince the targeted user to visit a malicious website before logging in to their PayPal account.
The researcher discovered that the CSRF token and session ID are present in the request body, along with two ..
Support the originator by clicking the read the rest link below.
