topic The Bug That Exposed Your PayPal Password in Tech Talk https://community.isc2.org/t5/Tech-Talk/The-Bug-That-Exposed-Your-PayPal-Password/m-p/31539#M2108 <P>Anytime <STRONG>session data</STRONG> is exposed it's going be bad. While "exploring" the flow of <STRONG><A href="https://medium.com/@alex.birsan/the-bug-that-exposed-your-paypal-password-539fc2896da9" target="_blank" rel="noopener">PayPal authentication</A></STRONG> a researcher found just that. In what is known as a cross-site script inclusion (<STRONG>XSSI</STRONG>) attack, a malicious web page can use an HTML &lt;script&gt; tag to import a script cross-origin, enabling it to gain access to any data contained within the file. What is cool about this one is the fact that&nbsp;<SPAN>although a J<STRONG>avascript obfuscator</STRONG> was used to randomize variable names on each request, the interesting tokens were still placed in fairly predictable locations, making it possible to retrieve them. It's another great story of how a bug bounty program saved PayPal from imminent&nbsp;self-destruction.</SPAN></P> Mon, 09 Oct 2023 09:24:21 GMT AppDefects 2023-10-09T09:24:21Z The Bug That Exposed Your PayPal Password https://community.isc2.org/t5/Tech-Talk/The-Bug-That-Exposed-Your-PayPal-Password/m-p/31539#M2108 <P>Anytime <STRONG>session data</STRONG> is exposed it's going be bad. While "exploring" the flow of <STRONG><A href="https://medium.com/@alex.birsan/the-bug-that-exposed-your-paypal-password-539fc2896da9" target="_blank" rel="noopener">PayPal authentication</A></STRONG> a researcher found just that. In what is known as a cross-site script inclusion (<STRONG>XSSI</STRONG>) attack, a malicious web page can use an HTML &lt;script&gt; tag to import a script cross-origin, enabling it to gain access to any data contained within the file. What is cool about this one is the fact that&nbsp;<SPAN>although a J<STRONG>avascript obfuscator</STRONG> was used to randomize variable names on each request, the interesting tokens were still placed in fairly predictable locations, making it possible to retrieve them. It's another great story of how a bug bounty program saved PayPal from imminent&nbsp;self-destruction.</SPAN></P> Mon, 09 Oct 2023 09:24:21 GMT https://community.isc2.org/t5/Tech-Talk/The-Bug-That-Exposed-Your-PayPal-Password/m-p/31539#M2108 AppDefects 2023-10-09T09:24:21Z