For reporting a security breach that could lead to the exposure of user password to a hacker, Paypal paid Alex Brisan, an ethical hacker, a bug bounty of fifteen thousand three hundred dollars ($15,300). Paypal openly admitted that Brisan, a researcher, discovered the breach and reported to them.
Brisan reported the breach on January 8, however, PayPal had already fixed the glitch since December but still rewarded Brisan.
An ethical hacker, also referred to as a white-hat hacker, is an information security expert who systematically attempts to penetrate a computer system, network, application or other computing resources on behalf of its owners — and with their permission — to find security vulnerabilities that a malicious hacker could.
Brisan wrote in his public disclosure that what happened is the story of high-severity bug affecting one of PayPal’s most visited pages referring to the login form. He discovered the breach while exploring the main authentication flow at PayPal.
PayPal’s loopholes
According to Brisan, his attention was drawn to the fact that a JavaScript (JS) file contained what looked like a cross-site request forgery (CSRF) token and a session ID. Providing any session data inside a valid javascript file, Birsan said, usually allows it to be retrieved by attackers.
In the same light, PayPal confirmed that sensitive, unique tokens were being leaked in a JS file used by the ReCaptcha implementation. In certain circumstances, users had to solve a CAPTCHA challenge after authenticating, and PayPal noted that the exposed tokens were used in the POST request to solve the CAPTCHA.
PayPal also confirmed that after solving the captcha, a user would then need to go to another (malicious) site and enter their PayPal credentials. This would enable the hacker to complete the security challenge, which then produced an authentication request replay to show the password.
PayPal further explained that, however, the exposure only occurred if a user follows a login link from a malicious site.
Ethical hackers’ connecting platform
To promote cybersecurity, an organization, HackerOne, has provided a platform that connects ethical hackers with organizations that pay rewards for vulnerabilities that are found in their software, services, or products.
One hacker reportedly managed to hack the HackerOne platform itself and earned himself $20,000.
Outside this, there are hacking competitions where ethical hackers are encouraged to participate in finding possible security breaches. One of these Pwn2Own hacking contest competitions holds in March, where anyone who can hack a Tesla Model 3 electric car would pick up $700,000 and a brand new Tesla Model.
Apple has also confirmed that anyone who hacks an iPhone will receive a reward of $1.5 million.
Featured Image by Pixabay
