According to a report by a security analyst, Alex Birsan, PayPal has put user passwords at risk to hackers. PayPal has confirmed the claims and admitted that weaknesses in its security could have put users at risk in early December 2019.
The issue was disclosed last week, and Birsan, the researcher, reportedly, was awarded $15,300 for discovering the issue. He said that he discovered the flaw in the site’s security when looking at the main authentication flow on the website itself.
He noticed that the JavaScript file on the website didn’t look right and contained what seemed like a cross-site request forgery (CSRF) token and a session ID. He noted that this means that revealing session data within a JavaScript file “usually allows it to be retrieved by attackers.”
In a public disclosure, he said that “This is the story of a high-severity bug affecting what is probably one of PayPal’s most visited pages.” Brisan says that there was a work-around to PayPal’s security measures that was easy to discover by hackers.
PayPal has since carried out its own investigations into the concerns. It says that “sensitive, unique tokens were being leaked in a JS file used by the recaptcha implementation,”
When using the site, in some cases, users are required to authenticate the page by solving a CAPTCHA challenge. If there are a number of failed attempts to log in, users may not be required to carry out the authentication challenge.
PayPal added that, in order for the security flaw to happen, users would have to follow a link from a malicious site and then be tricked into giving their login details and password. If they did this, hackers could obtain the information and complete the security test.
The company said in a statement, “This exposure only occurred if a user followed a login link from a malicious site, similar to a phishing page.”
I am very worried by this because I pay for virtually everything on line by Paypal. I have often had problems with the stupid Captcha tool. I do wish they would think of something else.