cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Champion

The Bug That Exposed Your PayPal Password

Anytime session data is exposed it's going be bad. While "exploring" the flow of PayPal authentication a researcher found just that. In what is known as a cross-site script inclusion (XSSI) attack, a malicious web page can use an HTML <script> tag to import a script cross-origin, enabling it to gain access to any data contained within the file. What is cool about this one is the fact that although a Javascript obfuscator was used to randomize variable names on each request, the interesting tokens were still placed in fairly predictable locations, making it possible to retrieve them. It's another great story of how a bug bounty program saved PayPal from imminent self-destruction.