A security researcher discovered a high-severity bug affecting PayPal’s most visited pages: the login form.
According to security researcher Alex Birsan, while exploring PayPal’s main authentication flow, he noticed a javascript file containing what appeared to be a CSRF token and a session ID. This, he says, immediately drew his attention, "because providing any kind of session data inside a valid javascript file usually allows it to be retrieved by attackers. In what is known as a cross-site script inclusion (XSSI) attack, a malicious web page can use an HTML <script> tag to import a script cross-origin, enabling it to gain access to any data contained within the file."