Information security specialist Alex Birsan received $ 15,300 in bug bounty, discovering a critical vulnerability in the PayPal authentication process.

The expert explains that the vulnerability was related to the way PayPal stores CSRF tokens and session IDs in a JavaScript file, which made them accessible to attackers through XSSI attacks. Although an obfuscator was used for each name request to randomize names, it was still possible to predict where the tokens are and retrieve them.

Although session IDs and tokens alone are useless for direct attacks, Birsan used them to compromise the mechanism that protects PayPal from brute force. So, after several unsuccessful login attempts, the user must solve the reCAPTCHA task. This page does not contain anything other than Google CAPTCHA, and if the task is successfully solved, a POST request to / auth / validate captcha is generated.

The answer to this request, in fact, should again enter the user into the authentication process. To do this, it contains a form with all the data specified in the user’s last request for login, including his email address, password in plain text format. In order to get to these credentials, an attacker needs to convince a victim to visit a malicious site before entering his PayPal account.

Since the CSRF token and session ID are present in the request body, along with two other tokens, the victim’s credentials can be obtained if all the tokens used in the request are known. The value of one of these unknown tokens does not pass validation, while the other is the recaptcha token provided by Google in solving the reCAPTCHA problem. The latter is not tied to the session, that is, any valid token is suitable, including from the automatic solution service.

Using the above information, the researcher created an exploit that first used the XSSI vulnerability to obtain valid victim tokens, and then made a brute force attempt to trigger the defense mechanism.

Birsan reported vulnerabilities to PayPal representatives through the HackerOne platform back in November 2019. Already on December 11, 2019, the developers released a patch, and the specialist was rewarded for detecting an error of $ 15,300.


Please enter your comment!
Please enter your name here