Experts On News: PayPal Confirms High-severity Password Vulnerability

By   ISBuzz Team
Writer , Information Security Buzz | Jan 13, 2020 06:00 am PST

PayPal has recently confirmed that a researcher found a high-severity security vulnerability in CAPTCHA that could expose user passwords to an attacker. The researcher, Alex Birsan, earned a bug bounty of $15,300 (£11,700) for reporting the problem, which was disclosed January 8 having been patched by PayPal on December 11, 2019.

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Dan Conrad
Dan Conrad , Field Strategist
January 13, 2020 2:01 pm

PayPal’s attempt to validate a user and prevent a scripting attack by using CAPTCHA was actually misconfigured, and created a vulnerability; granted the vulnerability was taking advantage of an outside cross-site request forgery where a user would be attempting to authenticate to PayPal from a malicious site. In this case, the attempt to mitigate a vulnerability by further validating the authentication was a person and not a script that created a problem. This shows that even layers of added security must be validated.

Bug Bounties are a good way to encourage ethical disclosure of vulnerabilities, which gives organisations the time to patch the issue before it can be exploited or posted online for cybercriminals to use.

Last edited 4 years ago by Dan Conrad

Recent Posts

Would love your thoughts, please comment.x