PayPal has announced that they’ve patched a bug that was previously reported to them on February 19th, 2020 by “Cr33pb0y.” Discussions were held confidentially between the bug bounty hunter and PayPal and that’s why it took nearly a year for the public to hear of the vulnerability. That vulnerability affected the currency converter within PayPal wallets. The bug opened up the door for attackers to steal cookies, session tokens, and account information via XSS and CSP bypass. Since discussions with the Cr33b0y, PayPal has implemented more validation checks and sanitizer controls. PayPal also awarded the bounty hunter with over $2,000 dollars as a token of their appreciation for discovering the vulnerability.
Thankfully PayPal has patched the nagging vulnerability, but XSS vulnerabilities will continue to be a problem for other companies for quite some time. In order to protect against them, it is advised to sanitize user controls (mentioned above), a web application firewall can also be used as a protection method. People who use Paypal and online financial accounts should be aware that attackers also often use malware to steal the session cookies from web browsers with logged-in sessions and misuse the authentication tokens in the cookies to log on as the victim to transfer or spend money. It’s important to review account activity regularly and report fraudulent transactions to the financial institution.