PayPal Confirms ‘High-Severity’ Password Security Vulnerability (Jan 10, 2019)
A critical security vulnerability has been confirmed by PayPal that could have potentially exposed user passwords to malicious actors. The researcher that discovered the vulnerability, Alex Birsan, reported their findings to PayPal on November 18, 2019, and a patch was released 18 days later. According to PayPal, "sensitive, unique tokens were being leaked in a JS file used by the recaptcha implementation," using Cross-Site Script Inclusion (XSSI) attacks. Birsan explained that while a malicious party would need to convince the targeted user to visit a malicious website prior to logging into their PayPal account, plain text credentials could be retrieved from the prior Google CAPTCHA validation request session data and displayed on the page. Phishing and social engineering could assist a highly-motivated actor in fooling a user into visiting a malicious site and enacting this credential-theft strategy. The PayPal patch resolved the vulnerability, and “implemented additional controls on the security challenge request to prevent token reuse, which resolved the issue, and no evidence of abuse was found,” according to the company.
Recommendation: It is important that companies not store passwords in plain text format. As Birsan explains, the risk to PayPal could have been completely avoided by designing the system to never store the plain text username and password to begin with. With the risk of credential theft, it is important to also remember that your company should have password policies in place to avoid repetition across accounts. Additionally, it is crucial that policies are in place to ensure that all employees install patches as soon as they are made available.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.