Every once in awhile, a researcher is able to find exploits before they are used in a malicious way. Today, we learned that a PayPal bug could have exposed passwords to an attacker.
Thankfully, a researcher was able to discover it before it was used against anyone. The researcher was Alex Birsan, who earned $15,300 for reporting the problem. The problem was reported to the company on January 18th, which was then fixed within 24 hours.
The problem was with the recaptcha implementation – In a post over at HackerOne, PayPal said that “unique tokens were being leaked in a JS file used by the recaptcha implementation. ”
PayPal then implemented additional security measures on the security challenge request, which will prevent token abuse. They also assured everyone that no evidence of abuse was found.