SoylentNews
SoylentNews is people
https://soylentnews.org/

Title    PayPal Patches Vulnerability that Exposed User Passwords
Date    Sunday January 12 2020, @06:35PM
Author    Fnord666
Topic   
from the what's-[left]-in-your-wallet? dept.
https://soylentnews.org/article.pl?sid=20/01/12/056206

upstart writes in with an IRC submission for Bytram:

PayPal Patches Vulnerability That Exposed User Passwords:

A researcher has earned over $15,000 from PayPal for reporting a critical vulnerability that could have been exploited by hackers to obtain user email addresses and passwords.

Identified while analyzing PayPal's main authentication flow, the issue was related to PayPal placing cross-site request forgery (CSRF) tokens and the user session ID in a JavaScript file, thus making them retrievable by attackers via cross-site script inclusion (XSSI) attacks.

An obfuscator was used to randomize variable names on each request, but one could still predict where interesting tokens are located, and then retrieve them, security researcher Alex Birsan explains.

And while the CSRF tokens and session ID could not be used to launch direct attacks, the researcher discovered a way to leverage them in an assault targeting the security challenge used by PayPal as a protection mechanism against brute force attacks.

Original Submission

Links
  1. "upstart" - https://soylentnews.org/~upstart/
  2. "PayPal Patches Vulnerability That Exposed User Passwords" - https://www.securityweek.com/paypal-patches-vulnerability-exposed-user-passwords
  3. "explains" - https://medium.com/@alex.birsan/the-bug-that-exposed-your-paypal-password-539fc2896da9
  4. "Original Submission" - https://soylentnews.org/submit.pl?op=viewsub&subid=38518
© Copyright 2024 - SoylentNews, All Rights Reserved

printed from SoylentNews, PayPal Patches Vulnerability that Exposed User Passwords on 2024-04-25 15:40:01