Experts On News: PayPal Confirms High-severity Password Vulnerability

PayPal has recently confirmed that a researcher found a high-severity security vulnerability in CAPTCHA that could expose user passwords to an attacker. The researcher, Alex Birsan, earned a bug bounty of $15,300 (£11,700) for reporting the problem, which was disclosed January 8 having been patched by PayPal on December 11, 2019.

Subscribe
Notify of
guest

1 Expert Comment
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Dan Conrad
Dan Conrad , Field Strategist
InfoSec Expert
January 13, 2020 2:01 pm

PayPal’s attempt to validate a user and prevent a scripting attack by using CAPTCHA was actually misconfigured, and created a vulnerability; granted the vulnerability was taking advantage of an outside cross-site request forgery where a user would be attempting to authenticate to PayPal from a malicious site. In this case, the attempt to mitigate a vulnerability by further validating the authentication was a person and not a script that created a problem. This shows that even layers of added security must be validated.

Bug Bounties are a good way to encourage ethical disclosure of vulnerabilities, which gives organisations the time to patch the issue before it can be exploited or posted online for cybercriminals to use.

Last edited 2 years ago by Dan Conrad
Information Security Buzz
1
0
Would love your thoughts, please comment.x
()
x