paint-brush
HackerOne Finds Massive Security Failure In PayPal’s Login Compartmentby@becka
1,299 reads
1,299 reads

HackerOne Finds Massive Security Failure In PayPal’s Login Compartment

by Becka MaisuradzeJanuary 20th, 2020
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

HackerOne has revealed a vulnerability in PayPal’s login page that disclosed users’ private credentials to hackers. HackerOne is a cyber agency that unites researcher-hackers and companies into one single space. PayPal, on the one hand, wants to detect holes and breaches in its protection system and tackle them after they arise to the surface. Hackers, too, are keeping up with modern tech trends and become all the more skilled in their work. In one day after the vulnerability was submitted, the company patched it, claiming the “token reuse” has been prevented through this patch and no further abuse has been found.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - HackerOne Finds Massive Security Failure In PayPal’s Login Compartment
Becka Maisuradze HackerNoon profile picture

In today’s highly digitized environment, the capabilities to change our lives for the better are virtually endless. The cooperation of humans and technology - be it hardware of software - has made our lives easier and more productive.

However, such expansion also comes with its shortcomings. Have you seen any sci-fi futuristic film lately where highly-sophisticated machines haven’t gone rogue against humanity and started slaughtering every living being? Right in the bullseye.

Jokes aside, there really are some threats and issues that need to be attended to, even though their existence certainly doesn’t mean we shouldn’t strive towards progress anymore. It just means that every coin has two sides.

So, what is this grave threat that I’m talking about?

Imagine setting up a PayPal account. Some of the most basic details that you need to enter into the platform are your full name, email address, phone number, country of residence, and the credit card number.

Our privacy is at stake

And when you enter all those details into an online database, you inadvertently expose them to the whole world - theoretically, of course. Now, more often than not, these pieces of private credentials are properly protected by the providers, be it the above-mentioned PayPal or others. 

However, the improvement of protective platforms is closely followed by the development of more crafty hacking tools and methods. Hackers, too, are keeping up with modern tech trends and become all the more skilled in their work.

And boy, have they some skill! Some of the most protected platforms have been hacked like nothing by these resourceful individuals.

Entering PayPal’s database illicitly would be nothing for them. 

Granted, the imperfections are everywhere, both in the online and offline worlds, and there’s no escaping from them. However, if anything can make any progress against them, it’s definitely the recognition of the problem and facing it straight up. 

PayPal hiring HackerOne “researchers”

And that’s exactly what PayPal and such companies have been doing through HackerOne. HackerOne is a cyber agency that unites researcher-hackers and companies into one single space.

PayPal, on the one hand, wants to detect all the holes and breaches in its protection system and tackle them after they arise to the surface. Hackers, on the other hand, are willing to dig into those systems, use their skill and mastery and try to find as many imperfections as they can. After all, their paycheck depends on it.

In one of such recent cases, a HackerOne researcher revealed a vulnerability in PayPal’s login page that disclosed users’ private credentials to hackers. Alex Birsan discovered this quite acute breach when he was looking for them in the authentication compartment of the website. 

And just when he was exploring around, he quickly noticed a JavaScript file that contained some suspicious content. In technical terms, it’s called a cross-site request forgery (CSRF) through which, if any type of data falls into that file, the hackers will get hold of them quite easily. 

According to Birsan himself, this is one of the largest threats that can undermine “PayPal’s most visited pages, the login form.” Birsan was quick to submit the details about this threat, as well as proof of it, through HackerOne’s platform that’s essentially a “bug bounty” page. He submitted the application on November 18, 2019, and it was validated on December 6. And four days after, Birsan got a compensation of $15,300 for his successful work.

Patching the vulnerability in just one day

PayPal, eager to find even the tiniest imperfection in its system, quickly took matters into its hands. In just one day after the vulnerability was submitted, the company patched it, claiming that the “token reuse” has been prevented through this patch and no evidence of further abuse has been found.

To make introduce some clarity and not sound overly technical, this vulnerability closely resembles the famous Phishing method. In Phishing, hackers create webpages that look incredibly similar to the actual ones like PayPal, Facebook, etc. And while distinguishing one from another is quite hard, it’s not impossible: the fake websites will have a different, yet very similar, link address to the actual one - usually, a difference of just one letter.

And when users put their details into filling bars, hackers immediately get them on their system. And from there, it’s practically nothing to steal their money or do other terrible things.

This is one of many examples of how groups like HackerOne help big companies eliminate vulnerabilities on their online platforms. In fact, Forbes has published an article covering six HackerOne hackers who had earned some $1 million from the platform.

Funny enough, even HackerOne’s platform got hacked by one such individual. It goes without saying that the hacker got himself a $20,000 paycheck from the company.

Other similar cases

But HackerOne isn’t the only platform that operates on this “market”. Some companies look for the most skilled hackers themselves. For instance, Elon Musk’s Tesla has announced that anyone who hacks its Tesla Model 3 electric car will earn themselves a hefty prize of $700,000 and on top of that, the brand-new Model 3 itself. Another example includes Apple with an even larger reward of $1.5 million to anyone who hacks the iPhone.

So, it goes without saying that the companies don’t hold a penny for detecting as many breaches and vulnerabilities into their system as they can - or, more precisely, hackers can for them. 

In the above-mentioned example, PayPal has paid some fifteen grand to an individual who hinted to the login screen vulnerability and then, quickly resolved it. Others have even higher rewards. So, the price of security and stability is never high in this technologically advanced world.