Experts On News: PayPal Confirms High-severity Password Vulnerability

PayPal has recently confirmed that a researcher found a high-severity security vulnerability in CAPTCHA that could expose user passwords to an attacker. The researcher, Alex Birsan, earned a bug bounty of $15,300 (£11,700) for reporting the problem, which was disclosed January 8 having been patched by PayPal on December 11, 2019.

Experts Comments

January 13, 2020
Dan Conrad
Field Strategist
One Identity
PayPal’s attempt to validate a user and prevent a scripting attack by using CAPTCHA was actually misconfigured, and created a vulnerability; granted the vulnerability was taking advantage of an outside cross-site request forgery where a user would be attempting to authenticate to PayPal from a malicious site. In this case, the attempt to mitigate a vulnerability by further validating the authentication was a person and not a script that created a problem. This shows that even layers of.....Read More
PayPal’s attempt to validate a user and prevent a scripting attack by using CAPTCHA was actually misconfigured, and created a vulnerability; granted the vulnerability was taking advantage of an outside cross-site request forgery where a user would be attempting to authenticate to PayPal from a malicious site. In this case, the attempt to mitigate a vulnerability by further validating the authentication was a person and not a script that created a problem. This shows that even layers of added security must be validated. Bug Bounties are a good way to encourage ethical disclosure of vulnerabilities, which gives organisations the time to patch the issue before it can be exploited or posted online for cybercriminals to use.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.