PayPal Vulnerability with Login Patched After Being Discovered by White-Hat Hacker
A PayPal vulnerability in the login system was recently discovered by a white-hat hacker, allowing the company to create a patch for the problem. When we picture highly skilled hackers at work, we might think of darkened rooms and faces peering out of black hoodies, lit by the glow of several computer monitors. At least, that is how Hollywood portrays these criminal masterminds who can break into a secure network from anywhere in the world and cause harm.
Fortunately, that is not often the reality. In fact, a number of hackers—the so-called “white-hat hackers”—like to sift around in a major company’s security defenses just to see what they can find. The company might pay them handsomely as a reward.
That was the case with a recently patched login vulnerability at PayPal. A hacker discovered that the Java script in the login page could potentially allow unauthorized outsiders to access accounts. Alex Birsan then reported the issue to PayPal and publicly disclosed it, for which he received over $15,000 from the company.
The method involved in accessing an account without authorization is so roundabout that PayPal has no reason to think anyone actually accomplished it. According to the company, an unsuspecting user would have had to go to PayPal by first clicking a button on a malicious website and entering their credentials to take advantage of the PayPal vulnerability. Then a hacker would have had to access the Google CAPTCHA that verifies the users’ identities on certain accounts. Still, there is no reason to leave a vulnerability unchecked, and PayPal created a patch for the PayPal vulnerability.
While PayPal users do not have to do anything to install this patch—since the issue was with PayPal’s own site, not downloaded user software—this is a good reminder that any time a vulnerability is discovered and a patch is issued, that patch will not be useful unless it is implemented. If the PayPal vulnerability had involved user software or apps, you would not be protected if you had not installed the latest update.
Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530.
You might also like…
How much information are you putting out there? It’s probably too much. To help you stop sharing Too Much Information, sign up for the In the Loop.
