A hacker, Alex Birsan, has discovered a high-severity vulnerability in the PayPal main authentication flow of the platform.

Alex Birsan discovered the vulnerability, which could allow hackers to steal users’ data. Although the company said it fixed it without compromising anyone’s personal information.

The discovery notably earned Birsan a $15,300 reward, allowing the company to fix the problem.

In a statement, PayPal spokeswoman Kim Eichorn explained: “While this was a potential vulnerability brought to the company through our bug bounty program, no user information was exposed.”

He further stated that a JS file used by the ReCaptcha implementation contained sensitive and unique tokens. In certain circumstances, users have to solve a CAPTCHA challenge after authenticating. And PayPal noted that the POST request to solve the CAPTCHA used the exposed tokens.

Birsan discovery of the vulnerability

According to Birsan, the fact that a JavaScript (JS) file contained what looked like a cross-site request forgery (CSRF) token and a session ID caught his attention. He further explained that any session data inside a valid javascript file usually allows attackers to retrieved data.

“The circumstances have several failed login attempts that kick off the reCAPTCHA authentication challenge. Which is OK, until you realize that, the response to the next authentication attempt is a page containing nothing but a Google captcha. If the user solves the captcha, an HTTP POST request to /auth/validate captcha is initiated,” Birsan explained.

He acknowledges that PayPal has patched-up the vulnerability after he submitted his findings.

Upbit victim of hackers

Notably, South Korea-based Upbit has restarted wallet services two months after falling victim to hackers who made off with $49 million cryptocurrencies.

The exchange recently announced that following an upgrade to its security system, its able to support ETH deposits and withdrawals.

The exchange reportedly transferred all remaining digital assets into cold storage as a precaution. According to its CEO Lee Seok-woo, user funds remained intact. He noted in a statement following the attack that Upbit would suspend all trading functions temporarily.

PayPal has also recently been on the headlines as a partnership with Facebook’s proposed digital currency Libra turned sour. Although it’s CEO Dan Schulman, it took time to address and give an insight into why the online payment processor left Facebook’s Libra. Its ban on adult entertainment website Pornhub also caused a controversial issue for the exchange platform.



Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.