This is my first post about one of my finding on PayPal Bug Bounty program.

If you are looking for some cool bugs please check Harsh Jaiswal’s writeup nothing fancy here :D

So, coming back to this writeup. On one fine day, I was looking for 🐛’s on braintreepayments.com, which is in the scope of Paypal’s Bug Bounty Program.

I was reviewing the source code of braintreepayments.com and found this strange JavaScript snippet.

var targetLocale = window.location.href.match(/locale=(.{5})/) ? window.location.href.match(/locale=(.{5})/)[1] : null;

So, after reading the JS code, I found out if the user sends a request with locale parameter and the value is not equals to en-us(currentLocale) it will be saved in storedLocale using window.localStorage.setItem('locale', targetLocale); . After that whenever an user visits braintreepayments.com and currentLocale!=storedLocale then he will be redirected to https://braintreepayments.com/`locale` even if he tries to click on any hyperlink on https://braintreepayments.com.

But the limitation was only 5 alphabets of locale parameter are saved in localstorage of the browser but that was enough to create annoying PoC.

So, I quickly created a PoC :

https://www.braintreepayments.com/legal/policy-updates?utm_campaign=BT_EMEA_LUX_SafeHarborUpdate_20160413&utm_medium=email&utm_source=Eloqua&elq_cid=5230793&locale=fword

So, after visiting this url once users were redirected to https://braintreepayments.com/fword even if they try to click on Log in or try signing up for Sandbox Account .

Impact:

The issue could have mass exploited if the attacker would have created a public ad campaign with PoC, then users will not be able to use braintreepayment. The users will be redirected to the /fword until they clear the browser’s JavaScript cache.

Timeline:

30th Sep 2018 : Initial discovery.

4th Oct 2018 : Triaged by HackerOne team

10th Oct 2018 : Paypal rewarded princechaddha with a $3,200 bounty.

3rd Nov 2018 : Issue Resolved

I hope you liked this. Feedbacks are always welcome, reach me out on twitter @princechaddha .

Credits:

Thanks to Sahil Ahamad for proof reading this post :)