Home Security Paypal hacker got rewarded for revealing company's security vulnerability

Paypal hacker got rewarded for revealing company’s security vulnerability


For reporting a security breach that could lead to the exposure of user password to a hacker, Paypal paid Alex Brisan a bug bounty of $15,300 (£11,700). Paypal openly admitted that Brisan, a researcher, discovered the breach and reported to them.

Brisan reported the breach on January 8. However, PayPal had already fixed the glitch since December but still rewarded him.

Brisan wrote in his public disclosure that what happened is the story of high-severity bug affecting one of PayPal’s most visited pages referring to the login form. He discovered the breach while exploring the main authentication flow at PayPal.

PayPal’s loopholes

According to Brisan, his attention was drawn to the fact that a JavaScript (JS) file contained what looked like a cross-site request forgery (CSRF) token and a session ID. “Providing any kind of session data inside a valid javascript file,” Birsan said, “usually allows it to be retrieved by attackers.

In the same light, PayPal confirmed that sensitive, unique tokens were being leaked in a JS file used by the Recaptcha implementation. In certain circumstances, users had to solve a CAPTCHA challenge after authenticating, and PayPal noted that the exposed tokens were used in the POST request to solve the CAPTCHA.

PayPal also confirmed that after solving the captcha, a user would then need to go to another (malicious) site and enter their PayPal credentials. This would enable the hacker to complete the security challenge, which then produced an authentication request replay to show the password.

PayPal further explained that, however, the exposure only occurred if a user follows a login link from a malicious site.

The business of ethical hacking

To promote cybersecurity, an organization, HackerOne, has provided a platform that connects ethical hackers with organizations that pay rewards for vulnerabilities that are found in their software, services, or products.

One hacker reportedly managed to hack the HackerOne platform itself and earned himself $20,000 (£15,250).

Outside this, there are hacking competitions where ethical hackers are encouraged to participate in finding possible security breaches. One of these Pwn2Own hacking contest competitions holds in March, where anyone who can hack a Tesla Model 3 electric car would pick up $700,000 (£535,000) and a brand new Tesla Model.

Apple has also confirmed that anyone who hacks an iPhone, Apple gives an award of $1.5 million.

Muhaimin Olowoporoku
Muhaimin is a journalist and a crypto enthusiast. He believes in the Africa project and sees blockchain technology as a possible solution alongside developmental journalism

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Must Read

Uganda MPs urges restraint over crypto adoption

Speaker of Uganda Parliament, Rebecca Kadaga, has admonished Members of Parliament to be cautious about the rampant crypto pyramid schemes in the...

BABB, crypto platform to launch Feb 12,

The BABB platform (Bank Account Based Blockchain) having shutdown external communication and entered “dark mode” at the end of...

$1M Bitcoin price prediction, irrational ― Josh Rager

While McAfee seemingly had belief in this $1Million Bitcoin price prediction, a leading analyst has asserted that this prediction and others like...

Yet again, YouTube deletes crypto videos

The popular online video platform, YouTube has once again begun mass deletion of crypto videos from its platform.  Making...

Tezos Foundation launches mainnet faucet for users

Tezos Foundation has launched a cryptocurrency faucet to dispense a small stream of XTZ tokens to users. According to...