Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label HackerOne. Show all posts

PayPal Suffered Cross-Site Scripting -XSS Vulnerability

 

The PayPal currency converter functionality was damaged by severe cross-site scripting (XSS) vulnerability. An attacker might be able to run destructive scripts if the vulnerability is abused. This could lead to the malicious user injecting malicious JavaScript, HTML, or some other form of browser file. The bug was noticed on PayPal's web domain with the currency converter functionality of PayPal wallets. 

On February 19, 2020, the vulnerability was first identified as a concern of "reflected XSS and CSP bypass" by a security researcher who goes by the name "Cr33pb0y" – he's been granted $2,900 in bug bounty programming by HackerOne. 

PayPal said that a flaw occurred in the currency conversion endpoint which was triggered by an inability to adequately sanitize user feedback, in a restricted disclosure that was released on February 10 – almost a year after the researcher identified the problem privately. 

PayPal acknowledged the flaw- in response to the HackerOne forum, that contributed to the currency translation URL managing user feedback inappropriately. A vulnerability intruder may use the JavaScript injection to access a document object in a browser or apply other malicious code to the URL. If hackers load a malicious payload into the browser of a victim, they can steal data or use the computer to take control of the system. As a consequence, malicious payloads can trigger a victim's browser page without its knowledge or consent in the Document Object Model (DOM). 

Typically, XSS attacks represent a browser's script from a specific website and can enable a target to click a malicious connection. Payloads can be used as a theft point in larger attacks or for the stealing of cookies, session tokens, or account information. PayPal has now carried out further validation tests to monitor users’ feedback in the currency exchange function and wipe out errors following the disclosure of the bug bounty hunter. 

XSS bugs are a frequent hacker attack vector. Several recent leaks of data have been related to bugs like what some analysts claim is an XSS flaw. 

While telling that the vulnerability has been fixed, PayPal said, “by implementing additional controls to validate and sanitize user input before being returned in the response.”

Ozon launched a bug bounty on HackerOne


The reward for each bug found will depend on the degree of its impact on the service, the potential damage that the vulnerability can cause, the quality of the report and other factors

Ozon, one of the largest online stores in Russia, has launched its own program to search for vulnerabilities on the well-known site HackerOne. Since this is the first Russian e-Commerce company, it is hoped that it will set the right path for other projects.

To launch the bug bounty program, Ozon first plans to invest $41,800 in working with researchers searching for vulnerabilities in systems.

At the same time, not only Russian cybersecurity experts but also experts from abroad can participate in the online store program.

According to the company, the launch of the program will provide round-the-clock security monitoring, but it will not cancel the work of the Ozon IT laboratory team in ensuring the security of Ozon services but will complement it. Currently, more than 1,000 engineers work in the Ozon IT lab, and 3.5 million users visit the Ozon website and app every day.

"Now the company has the necessary resources not only to develop its own security services but also to work with the hacker community," said Ozon.

Today, not many Russian companies resort to an organized search for vulnerabilities. Among these, it is possible to allocate giants like Yandex, Mail.ru and Qiwi. Ozon became the next major project, as the company had resources not only to develop its own security services but also to interact with the community of ethical hackers.

Like programs of other companies, the bug bounty from Ozon involves a cash reward, the amount of which depends on the severity of the bug found. For example, a company can pay about $240 for an XSS hole.

But something more dangerous, such as an RCE vulnerability that leads to remote code execution, can bring the researcher up to 1,600 dollars.

In May, HackerOne representatives said that the platform had paid researchers a total of $100 million over the entire lifetime of the project. And in early July, the list of the most generous HackerOne participating companies became known.

52 Hackers get into the US Army system in the last 5 weeks


Last year, during October and November, 52 hackers were able to hack the US army. "It only strengthens our security systems as the hackers who hacked our systems did it on ethical principles, as the participants of second 'Hack the Army' event that is taking place since the year 2016," says the spokesperson of the US Department of Defense Defense Digital Service.



In today's world of cyber attacks and hacking, it is right to assume that inviting hackers to try and invade your system's security is not safe, not even for the US army. The hackers don't need a mere invite to hack into any organizations' cybersecurity. This statement raises a bit of doubt as lately, the US government warned users to update specific Virtual Private Network (VPN), or suffer from persistent cybersecurity attacks. Also, recently, the New York airport and New Orleans city suffered a cyberattack.

But still, there exists a plan in this obvious cyber insanity. 'Hack Army 2.0' was a mutual undertaking between the U.S. Army, a bug bounty program called 'HackerOne,' and the Defense Digital Service.

What is HackerOne?
In simple words, HackerOne is a platform where various exploits or vulnerabilities can be tested by hackers. This platform has allowed some of its best hackers to win millions of dollars. Surprisingly, one hacker was even able to hack the program itself. This reflects the caliber and potential of the hackers, who register in HackeOne.
Therefore, the whole reason for organizing 'Hack Army 2.0' is to find out any threats or vulnerabilities that might affect the security of the US army. This is crucial as it ensures the US army from other unethical hackers and national threats, for instance, Iran.

146 bugs detected, the Army pays $275,000-
The results after this drill revealed that a total number of 60 open US army assets were under the potential threat of hacking. The US army rewarded the hackers a total amount of $274,000 for their efforts. "The assistance of hackers can be helpful for the Army to increase its defense systems exceeding fundamental agreement lists to attain maximum security," said the spokesperson Alex Romero.

PayPal Fixes 'High-Severity' Password Security Vulnerability


Researcher Alex Birsan, while examining PayPal's main authentication flow– discovered a critical security flaw that hackers could have exploited to access passwords and email addresses of users. He responsibly reported the vulnerability to PayPal on November 18, 2019, via the HackerOne bug bounty platform and received a bug bounty over $15,000 for the issue which was acknowledged by HackerOne after 18 days of its submission and later patched by the company on 11th December 2019. 

The aforementioned bug affected one of the primary and most visited pages amongst all of PayPal's, which is its 'login form' as mentioned by Birsan in the public disclosure of the flaw. 

As Birsan was exploring the main authentication flaw at PayPal, his attention got directed to a javascript file that seemingly contained a cross-site request forgery (CSRF) token along with a session ID. "providing any kind of session data inside a valid javascript file," the expert told in his blog post, "usually allows it to be retrieved by attackers." 

"In what is known as a cross-site script inclusion (XSSI) attack, a malicious web page can use an HTML <script> tag to import a script cross-origin, enabling it to gain access to any data contained within the file." 

While giving their confirmation, PayPal put forth that sensitive, unique tokens were leaked in a JS file employed by the Recaptcha implementation. Sometimes users find themselves in situations where they have to go through a captcha quiz after authentication and according to the inference drawn by PayPal, "the exposed tokens were used in the post request to solve the captcha challenge." The captcha quiz comes into play after multiple failed login attempts, that is normal until you come to terms with the fact that " “the response to the next authentication attempt is a page containing nothing but a Google captcha. If the captcha is solved by the user, an HTTP POST request to /auth/validate captcha is initiated.” Although, in order to successfully obtain the credentials, the hacker would be required to find a way of making targeted users visit an infected website prior to logging into their PayPal account. 

While assuring its users, PayPal said that it “implemented additional controls on the security challenge request to prevent token reuse, which resolved the issue, and no evidence of abuse was found.”