Although session IDs and tokens alone are useless for direct attacks, Birsan used them to compromise the mechanism that protects PayPal from brute force. So, after several unsuccessful login attempts, the user must solve the reCAPTCHA task. This page does not contain anything other than Google CAPTCHA, and if the task is successfully solved, a POST request to / auth / validatecaptcha is generated.
The answer to this request, in fact, should again enter the user into the authentication process. To do this, it contains a form with all the data specified in the user's last request for login, including his email address, password in plain text format. In order to get to these credentials, an attacker needs to convince a victim to visit a malicious site before entering his PayPal account.
Since the CSRF token and session ID are present in the request body, along with two other tokens, the victim’s credentials can be obtained if all the tokens used in the request are known. The value of one of these unknown tokens does not pass validation, while the other is the recaptcha token provided by Google in solving the reCAPTCHA problem. The latter is not tied to the session, that is, any valid token is suitable, including from the automatic solution service.
Using the above information, the researcher created an expoit that first used the XSSI vulnerability to obtain valid victim tokens, and then made a brute force attempt to trigger the defense mechanism.
Birsan reported vulnerabilities to PayPal representatives through the HackerOne platform back in November 2019. Already on December 11, 2019, the developers released a patch, and the specialist was rewarded for detecting an error of $ 15,300.