A serious reflected cross-site scripting (XSS) vulnerability affected the currency converter feature of PayPal wallet. Exploiting the flaw could allow an adversary to execute malicious scripts.
XSS Vulnerability In PayPal Currency Converter Wallet
Reportedly, the bug bounty hunter with the alias “Cr33pb0y” discovered a serious reflected XSS vulnerability in the PayPal currency converter. Specifically, the flaw existed in this feature in PayPal wallets on the service’s web domain.
Sharing the details in the bug report, PayPal described that the issue existed due to improper sanitization of user input in a URL parameter. Hence, an adversary could exploit the vulnerability to inject malicious codes into the browser. As stated,
$2900 Bounty Awarded
The researcher discovered and reported the XSS vulnerability to PayPal via HackerOne in February 2020. Following the report, the timelines show that PayPal resolved the bug in March 2020. However, they went for a public disclosure only recently, that too, with limited details.
The vulnerability has received a medium severity rating with a score of 4.6. Regarding the fix, PayPal states to have implemented additional controls for user input validation.
This was resolved by implementing additional controls to validate and sanitize user input before being returned in the response.
Whereas, for discovering and reporting this matter, PayPal awarded a $2900 bounty to the researcher.
Recently, PayPal made it to the news when a researcher Alex Birsan elaborated on his findings regarding security threats to various big firms. The vulnerability that he named dependency confusion existed in the programming languages of over 35 different firms including Apple, Microsoft, Shopify, PayPal, and more.