How To Reset or Recovery PayPal Account Aassword?

1. When hunting for security issues, the pursuit for uncharted assets and obscure endpoints often ends up taking the focus away from obvious, but still critical, functionality.
2. If you approach a target like you are the first person to ever perform a security assessment on it, and check everything thoroughly, I believe you are bound to find something new — especially if the code you are testing has been in continuous development for a while.
3. This is the story of a high-severity bug affecting what is probably one of PayPal’s most visited pages: the login form.

Initial discovery

1. While exploring PayPal’s main authentication flow, I noticed a javascript file containing what appeared to be a CSRF token and a session ID:
2. If you've forgotten your PayPal password, but remember the email address you used to register with PayPal, follow these steps to regain access to your account:
3. This immediately drew my attention, because providing any kind of session data inside a valid javascript file usually allows it to be retrieved by attackers.
4. In what is known as a cross-site script inclusion (XSSI) attack, a malicious web page can use an HTML <script> tag to import a script cross-origin, enabling it to gain access to any data contained within the file.

Sure enough, a quick test confirmed the XSSI vulnerability and, although a javascript obfuscator was used to randomize variable names on each request, the interesting tokens were still placed in fairly predictable locations, making it possible to retrieve them with just a bit of extra work.

1. Go to our Log In page.
2. Click Having trouble logging in? 
3. Enter the email address you use for PayPal and click Next. (You'll be asked to confirm your identity by selecting a verification method.)
4. Select how you want to recover your password, and click Next. (You'll be shown some options such as Have us call you, Receive a text, Receive an email, Answer your security questions, Confirm through Facebook Messenger or Confirm your identity using Google.)

How To Recovery Paypal Account Password?

• If you choose to Have us call you, you'll see a code on the screen. Use the code when you get our call. We'll then ask you to create a new password and confirm it by entering it a second time.
• If you choose to Receive a text, enter the 6-digit security code we send to your mobile device and click Next. We'll then ask you to create a new password and confirm it by entering it a second time.
• If you choose to Receive an email, enter the 6-digit security code we email to you and click Continue. We may ask you to confirm your card number. We'll then ask you to create a new password and confirm it by entering it a second time.
• If you choose to Answer security questions, enter your answers and click Continue. We may ask you to confirm your card number. We'll then ask you to create a new password and confirm it by entering it a second time.
• You may also be given the option to Confirm through Facebook Messenger. If you choose to use this method, click Send Code, enter the 6-digit security code we send to your Messenger and click Confirm.  We'll then ask you to create a new password and confirm it by entering it a second time.
• If you have one or more Google email accounts registered to your PayPal account, you may be required to go through an authorization challenge upon logging in to your PayPal account. If you are already logged in to a Google account before the challenge step up, simply click Continue to complete the validation.