Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: PayPal.com XSS Vulnerability
From: Robert Kugler <robert.kugler10 () gmail com>
Date: Wed, 29 May 2013 13:42:32 +0200

2013/5/29 Jeffrey Walton <noloader () gmail com>

On Fri, May 24, 2013 at 12:38 PM, Robert Kugler
<robert.kugler10 () gmail com> wrote:
Hello all!

I'm Robert Kugler a 17 years old German student who's interested in
securing
computer systems.

I would like to warn you that PayPal.com is vulnerable to a Cross-Site
Scripting vulnerability!
PayPal Inc. is running a bug bounty program for professional security
researchers.

...
Unfortunately PayPal disqualified me from receiving any bounty payment
because of being 17 years old...

...
I don’t want to allege PayPal a kind of bug bounty cost saving, but it’s
not
the best idea when you're interested in motivated security researchers...
Fortunately Microsoft and Firefox took a more reasonable positions for
the bugs you discovered with their products.

PCWorld and MSN picked up the story:

http://www.pcworld.com/article/2039940/paypal-denies-teenager-reward-for-finding-website-bug.html
and
http://now.msn.com/paypal-denies-reward-to-robert-kugler-teen-who-found-bug-in-code
.
It is now news worthy to Wikipedia, where it will live forever under
Criticisms (unfortunately, it appears PayPal does a lot of
questionable things so its just one of a long list).

Jeff


Today I received an email from PayPal Site Security:

"Hi Robert,

We appreciate your research efforts and we are sorry that our
age requirements restrict you from participating in our Bug Bounty Program.
With regards to your specific bug submission, we should have also mentioned
that the vulnerability you submitted was previously reported by another
researcher and we are already actively fixing the issue. We hope that you
understand that bugs that have previously been reported to us are not
eligible for payment as we must honor the original researcher that provided
the vulnerability.

I would also mention that in general, PayPal has been a consistent
supporter of what is known as “responsible disclosure”.  That is, ensuring
that a company has a reasonable amount of time to fix a bug from
notification to public disclosure.  This allows the company to fix the bug,
so that criminals cannot use that knowledge to exploit it, but still gives
the researchers the ability to draw attention to their skills and
experience.  When researchers go down the “full disclosure” path, it then
puts us in a race with criminals who may successfully use the vulnerability
you found to victimize our customers.  We do not support the full
disclosure methodology, precisely because it puts real people at
unnecessary risk. We hope you keep that in mind when doing future research.

We acknowledge that PayPal can do more to recognize younger security
researchers around the world. As a first step, we would like you to be the
first security researcher in the history of our program to receive an
official "Letter of Recognition" from our Chief Information Security
Officer Michael Barrett (attached, will follow up with a signed copy
tomorrow). We truly appreciate your contribution to helping keep PayPal
secure for our customers and we will continue to explore other ways that we
can we provide alternate recognition for younger researchers.

We'd welcome the chance to explain this all to you first hand over the
phone, please email us at this address with a number and good time to reach
you and we’d be happy to follow-up.

Thank you,
PayPal Site Security"

It's still curious that they only mentioned the first researcher who
previously found the bug after all the media attention...Nevertheless I
appreciate their intentions to acknowledge also younger security
researchers, it's a step in the right direction!!

Best regards,

Robert Kugler
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault