A serious reflected cross-site scripting (XSS) vulnerability affected the currency converter feature of PayPal wallet. Exploiting the flaw could allow an adversary to execute malicious scripts.
XSS Vulnerability In PayPal Currency Converter Wallet
Reportedly, the bug bounty hunter with the alias “Cr33pb0y” discovered a serious reflected XSS vulnerability in the PayPal currency converter. Specifically, the flaw existed in this feature in PayPal wallets on the service’s web domain.
Sharing the details in the bug report, PayPal described that the issue existed due to improper sanitization of user input in a URL parameter. Hence, an adversary could exploit the vulnerability to inject malicious codes into the browser. As stated,
An endpoint used for currency conversion was found to suffer from a reflected XSS vulnerability, where user input was not being properly sanitized in a parameter in the URL. This could lead to a malicious user injecting malicious JavaScript, HTML, or any other type of code that the browser may execute. The malicious script will execute in the browser page DOM of another user typically without their knowledge or consent.
$2900 Bounty Awarded
The researcher discovered and reported the XSS vulnerability to PayPal via HackerOne in February 2020. Following the report, the timelines show that PayPal resolved the bug in March 2020. However, they went for a public disclosure only recently, that too, with limited details.
The vulnerability has received a medium severity rating with a score of 4.6. Regarding the fix, PayPal states to have implemented additional controls for user input validation.
This was resolved by implementing additional controls to validate and sanitize user input before being returned in the response.
Whereas, for discovering and reporting this matter, PayPal awarded a $2900 bounty to the researcher.
Recently, PayPal made it to the news when a researcher Alex Birsan elaborated on his findings regarding security threats to various big firms. The vulnerability that he named dependency confusion existed in the programming languages of over 35 different firms including Apple, Microsoft, Shopify, PayPal, and more.
