PayPal confirms security vulnerability, pays bounty to ethical hacker

For reporting a security breach that could lead to the exposure of user password to a hacker, Paypal paid Alex Brisan, an ethical hacker, a bug bounty of fifteen thousand three hundred dollars ($15,300). Paypal openly admitted that Brisan, a researcher, discovered the breach and reported to them.

Brisan reported the breach on January 8, however, PayPal had already fixed the glitch since December but still rewarded Brisan.

An ethical hacker, also referred to as a white-hat hacker, is an information security expert who systematically attempts to penetrate a computer system, network, application or other computing resources on behalf of its owners — and with their permission — to find security vulnerabilities that a malicious hacker could.

Brisan wrote in his public disclosure that what happened is the story of high-severity bug affecting one of PayPal’s most visited pages referring to the login form. He discovered the breach while exploring the main authentication flow at PayPal.

PayPal’s loopholes

According to Brisan, his attention was drawn to the fact that a JavaScript (JS) file contained what looked like a cross-site request forgery (CSRF) token and a session ID. Providing any session data inside a valid javascript file, Birsan said, usually allows it to be retrieved by attackers.

In the same light, PayPal confirmed that sensitive, unique tokens were being leaked in a JS file used by the ReCaptcha implementation. In certain circumstances, users had to solve a CAPTCHA challenge after authenticating, and PayPal noted that the exposed tokens were used in the POST request to solve the CAPTCHA.

PayPal also confirmed that after solving the captcha, a user would then need to go to another (malicious) site and enter their PayPal credentials. This would enable the hacker to complete the security challenge, which then produced an authentication request replay to show the password.

PayPal further explained that, however, the exposure only occurred if a user follows a login link from a malicious site.

Ethical hackers’ connecting platform

To promote cybersecurity, an organization, HackerOne, has provided a platform that connects ethical hackers with organizations that pay rewards for vulnerabilities that are found in their software, services, or products.

One hacker reportedly managed to hack the HackerOne platform itself and earned himself $20,000.

Outside this, there are hacking competitions where ethical hackers are encouraged to participate in finding possible security breaches. One of these Pwn2Own hacking contest competitions holds in March, where anyone who can hack a Tesla Model 3 electric car would pick up $700,000 and a brand new Tesla Model.

Apple has also confirmed that anyone who hacks an iPhone will receive a reward of $1.5 million.

Featured Image by Pixabay


Be sure not to miss any important news related to Cryptocurrencies! Follow our news feed in the way you prefer; through Twitter, Facebook, Telegram, RSS or email (scroll down to the bottom of this page to subscribe). Bitcoin never sleeps. Neither do we .


Disclaimer: This press release is for informational purposes only, the information does not constitute investment advice or an offer to invest. The opinions expressed in this article are those of the author and do not necessarily represent the views of CriptomonedaseICO , and should not be attributed to, CriptomonedaseICO .


Unase a WWW.CRIPTOMONEDASEICO.COM la mejor comunidad de TELEGRAM sobre Criptomonedas, Bitcoin y trading

- PUBLICIDAD -

Deja una respuesta

Su dirección de correo electrónico no será publicada.

3 × 2 =

Suscríbete a nuestro Boletín de Noticias
Regístrese aquí para recibir las últimas noticias y actualizaciones directamente en su bandeja de entrada.
Puedes darte de baja en cualquier momento