What happened to the Paypal data breach? Here are the latest news.
Paypal data breach
Paypal confirmed the security breach that happened in late 2019. Also, they admitted the weakness in their security.
A security analyst, Alex Birsan, reported the issue to Paypal. He said that there is a flaw in the login page.
According to his public report, a JavaScript file on the webpage is weird. It has a cross-site request forgery or a CSRF token and a session ID. What does this mean?
The file reveals session data, and hackers can retrieve login details.
How dangerous it is
Birsan said that this is a high-severity bug. And most of all, it affected the most visited page of Paypal: the login page.
Additionally, he said that it is easy to find by cybercriminals who want to get and sell login credentials.
Paypal’s acknowledgment
Paypal acknowledged the report. Also, they reportedly gave Birsan an award of $15,300.
Besides, Paypal started an investigation. In their report, they confirmed that, indeed, there were sensitive and unique tokens that leaked. So, it resulted in Recaptcha implementation.
How the hack works
In some cases, users are requested to solve a CAPTCHA challenge. It will confirm their identity to log in successfully.
But, if the user failed to solve the captcha repeatedly, they may not be required to do the authentication challenge. Which is very ironic.
Also, they said that some followed a link from a malicious site. Then, hackers trick them to enter their login details and password.
If a user typed his login details, hackers can get the information. So, they can complete the security test and pretend that they are the user.
Thus, it would expose the password because they now know the answers to the security challenge.
Paypal’s defense
Also, Paypal said that it would only expose the password if the user followed the link. Like how a phishing page works.
However, Birsan said that social engineering attacks do not work that way. The only thing that hackers need is just for the user to visit a hacked web page.
Moreover, he added that the same process can expose credit card data. Which is very harmful, as they can take your money.
Details of the disclosure
Birsan submitted the proof of concept to Paypal’s bug bounty program. And HackerOne validated the proof after 18 days.
Paypal solved the bug last December 11, 2019. It was within 24 hours of the report. It is an impressive quick action.
Besides, the bug was disclosed last January 8, 2020.
Additionally, they said that they have already applied more controls to the security test. Thus, the session tokens will not be reused.
Also, they claimed that they did not find any evidence of abuse or data theft.
Conclusion
After the disclosure by Birsan, he said that the bug could have been avoided. True, Paypal has fixed the issue.
However, all companies and websites should always apply the oldest piece of information security advice. It is to never store the passwords in plain text.
