PayPal has confirmed that a researcher found a high-severity security vulnerability that could expose user passwords to an attacker. The researcher, Alex Birsan, earned a bug bounty of $15,300 (£11,700) for reporting the problem, which was disclosed January 8 having been patched by PayPal on December 11, 2019.
Hacker explores PayPal login form, finds a big problem
“This is the story of a high-severity bug affecting what is probably one of PayPal’s most visited pages,” Birsan wrote in his public disclosure of the vulnerability, “the login form.”
PayPal confirms high-severity password vulnerability
PayPal confirmed that, “sensitive, unique tokens were being leaked in a JS file used by the recaptcha implementation.” In certain circumstances, users have to solve a CAPTCHA challenge after authenticating, and PayPal noted that “the exposed tokens were used in the POST request to solve the CAPTCHA.” The circumstances being several failed login attempts that kick off the reCAPTCHA authentication challenge. Which is OK, until you realize that, as Birsan explained, “the response to the next authentication attempt is a page containing nothing but a Google captcha. If the captcha is solved by the user, an HTTP POST request to /auth/validatecaptcha is initiated.” Forbes