#Privacy: PayPal confirms high-severity bug affecting login form

Researcher Alex Birsan has discovered a bug within PayPal which could allow threat actors to take over users’ accounts. 

Birsan uncovered the bug after exploring PayPal’s main authentication flow, whereby he noticed a javascript file which contained what appeared to look like a cross-site request forgery (CSRF) token and a session ID. 

Birsan explained that attackers are able to retrieve any session data inside a valid javascript file: “In what is known as a cross-site script inclusion (XSSI) attack, a malicious web page can use an HTML <script> tag to import a script cross-origin, enabling it to gain access to any data contained within the file.” 

Following a quick test, Birsan confirmed the XSSI vulnerability and found that the tokens were placed in predictable locations thus making it easy to retrieve them. 

The researcher soon discovered that after a few failed login attempts, users are required to solve a reCAPTCHA on Paypal. 

If a possible brute-force attack is detected the next authentication attempt is a page containing a Google captcha. If solved, an HTTP Post request is initiated, to which the CSRF and session ID are present in the request body.

The response to the request is meant to re-introduce the user into the authentication flow. “To this end, it contains a self-submitting form with all the data provided in the user’s latest login request, including their email and plain text password.”

With the correct timing and some user interaction, knowing all the tokens utilised in the request is enough to get the victim’s Paypal credentials. Birsan added that in a real-life attack, the only user interaction needed would have been “a single visit to an attacker-controlled web page.”

PayPal confirmed in a post that “sensitive, unique tokens were being leaked in a JS file used by the recaptcha implementation. In certain cases, a user must solve a CAPTCHA challenge after authenticating. When the security challenge is completed, the authentication request is replayed to log in. The exposed tokens were used in the POST request to solve the CAPTCHA.”

Birsan submitted his proof of concept on November 18, 2019 to PayPal’s bug bounty program, which was validated later by HackerOne 18 days later. PayPal has since implemented additional controls on the security challenge request and the vulnerability has been patched.

PayPal awarded Birsan a $15,300 bounty on December 10, 2019. 


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/