About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The Bug that Exposed Your Paypal Password - 131

Alex BirsanPosted 6 Years Ago
  • You think Paypal would know better... This is a fascinating bug though!
  • First, there was some CSRF and session tokens inside a JavaScript file. JavaScript files are not subject to the Same Origin Policy (SOP). So, a malicious site could make a request, cross origin, and retrieve the script! Meaning that this set of session and CSRF tokens was retrievable. This is known as cross-site script inclusion (XSSI).
  • After digging where these tokens were actually used at, he discovered that they were not used for normal operations... The only item these were used for was the security challenge for reCAPTCHA.
  • The response to the reCAPTCHA challenge is meant to reintroduce the authentication flow. Because of this, the response has the users plaintext email and password! This was also found to be possible to steal credit card information on Paypal too.
  • The flow for exploitation is not a typical CSRF bug though. The victim has to have the malicious site open while logging into Paypal for this to be possible. Interesting to see the large payout for a weird way to reproduce the bug.
  • The author uses a logout CSRF in order to make this attack possible (logout CSRF is traditionally not considered much of a security issue. So, this is everywhere). More information on the actual PoC can be found on reddit comments from the original author.
  • Contact info for this amazing researcher (at the bottom of the article). Email: alex@ethicalhack.ro

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed