[BreachExchange] PayPal Patches Vulnerability That Exposed User Passwords

[Destry Winant]

https://www.securityweek.com/paypal-patches-vulnerability-exposed-user-passwords

A researcher has earned over $15,000 from PayPal for reporting a
critical vulnerability that could have been exploited by hackers to
obtain user email addresses and passwords.

Identified while analyzing PayPal’s main authentication flow, the
issue was related to PayPal placing cross-site request forgery (CSRF)
tokens and the user session ID in a JavaScript file, thus making them
retrievable by attackers via cross-site script inclusion (XSSI)
attacks.

An obfuscator was used to randomize variable names on each request,
but one could still predict where interesting tokens are located, and
then retrieve them, security researcher Alex Birsan explains.

And while the CSRF tokens and session ID could not be used to launch
direct attacks, the researcher discovered a way to leverage them in an
assault targeting the security challenge used by PayPal as a
protection mechanism against brute force attacks.

After several login attempts, the user is required to solve a
reCAPTCHA challenge before continuing. The page the user is served
contains nothing but a Google CAPTCHA and, if the challenge is solved
successfully, an HTTP POST request to /auth/validatecaptcha is
initiated.

“The response to the captcha validation request is meant to
re-introduce the user into the authentication flow. To this end, it
contains a self-submitting form with all the data provided in the
user’s latest login request, including their email and plain text
password,” Birsan explains.

In order to obtain the credentials, an attacker would need to convince
the targeted user to visit a malicious website before logging in to
their PayPal account.

The researcher discovered that the CSRF token and session ID are
present in the request body, along with two other tokens, and
concluded that the victim’s PayPal credentials could be retrieved if
all the tokens used in the request were known.

The value of one of these unknown tokens is not validated, while the
other is recaptcha, the token provided by Google upon solving a
reCAPTCHA challenge, which was not tied to the session, meaning that
any valid token, including one from an automated solving service,
could be used instead.

Birsan created code that would exploit the initial XSSI vulnerability
to retrieve valid tokens from the victim’s session, then simulate a
brute-force attempt to trigger the security challenge flow.

“Once the victim logged in to PayPal using the same browser, the
cached random credentials would be replaced by the user’s own email
and password. The last step was obtaining a fresh reCAPTCHA token,
after which the plain text credentials would be retrieved from the
/auth/validatecaptcha endpoint and displayed on the page,” the
researcher explains.

In order to obtain the credentials, an attacker would need to convince
the targeted user to visit a malicious website before the user logged
in to their PayPal account.

The same vulnerable process was also found to be used on some
unauthenticated checkout pages, resulting in plain text credit card
data being leaked using the very same technique.

The researcher reported the vulnerability to PayPal, via HackerOne, on
November 18. It was validated 18 days later and a patch was released
on December 11. PayPay awarded Birsan a $15,300 bug bounty reward for
his finding.

As part of the patch, an additional CSRF token is requested by the
/auth/validatecaptcha endpoint, and this token cannot be leaked using
cross-site script inclusion, the researcher says.

“While this properly fixes the vulnerability, I believe that the whole
thing could have been prevented when designing the system by following
one of the oldest and most important pieces of infosec advice: Never
store passwords in plain text,” Birsan concludes.