PayPal Fixes 'High-Severity' Password Security Vulnerability
Researcher Alex Birsan, while examining PayPal's main authentication flow– discovered a critical security flaw that hackers could have exploited to access passwords and email addresses of users. He responsibly reported the vulnerability to PayPal on November 18, 2019, via the HackerOne bug bounty platform and received a bug bounty over $15,000 for the issue which was acknowledged by HackerOne after 18 days of its submission and later patched by the company on 11th December 2019.
The aforementioned bug affected one of the primary and most visited pages amongst all of PayPal's, which is its 'login form' as mentioned by Birsan in the public disclosure of the flaw.
As Birsan was exploring the main authentication flaw at PayPal, his attention got directed to a javascript file that seemingly contained a cross-site request forgery (CSRF) token along with a session ID. "providing any kind of session data inside a valid javascript file," the expert told in his blog post, "usually allows it to be retrieved by attackers."
"In what is known as a cross-site script inclusion (XSSI) attack, a malicious web page can use an HTML