PayPal has announced that they’ve patched a bug that was previously reported to them on February 19th, 2020 by “Cr33pb0y.” Discussions were held confidentially between the bug bounty hunter and PayPal and that’s why it took nearly a year for the public to hear of the vulnerability. That vulnerability affected the currency converter within PayPal wallets. The bug opened up the door for attackers to steal cookies, session tokens, and account information via XSS and CSP bypass. Since discussions with the Cr33b0y, PayPal has implemented more validation checks and sanitizer controls. PayPal also awarded the bounty hunter with over $2,000 dollars as a token of their appreciation for discovering the vulnerability.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is