PayPal has confirmed that a researcher found a high-severity security vulnerability that could expose user passwords to an attacker.
The researcher, Alex Birsan, earned a bug bounty of $15,300 for reporting the problem, which was disclosed January 8 having been patched by PayPal on December 11, 2019.
The bug affecting what is probably one of PayPal’s most visited pages: the login form.
"A bug was identified whereby sensitive, unique tokens were being leaked in a JS file used by the recaptcha implementation. In certain cases, a user must solve a CAPTCHA challenge after authenticating. When the security challenge is completed, the authentication request is replayed to log in. The exposed tokens were used in the POST request to solve the CAPTCHA," Paypal said, confirming Birsan's findings.