mailing list archives
PayPal Bug Bounty Controversy - I found the XSS first: They still didn't pay me
From: Shubham Shah <shahshubham369 () gmail com>
Date: Thu, 30 May 2013 00:38:16 +1000
*On the 11th of May, 2013, I reported an XSS that affected the very same
field that Kugler reported, on the same domain of "paypal.com"* -
However, I too did not receive a bug bounty.
My name is Shubham Shah, also a security researcher. And coincidentally
but similarly to Robert Kugler. I too found a cross site scripting
vulnerability on PayPal's "sitewide-search" module. My exploit was
similar to his, it affected the same parameters except I had used an
alternate vector - after fiddling with the search system for some time.
The real controversy is however, I am *under 18 years old* and I, in the
past have received money from their program under my older siblings
PayPal account, with permission. When I reported the XSS pretty much the
same as Kugler reported, I was "not eligible for a bounty" because
"Another researcher already discovered the bug". Please take a look at
the attached emails and screenshots.
Here is what I sent to the Site Security team via their PGP portal:
To Paypal Site Security Team,
Recently I have discovered an XSS vulnerability which affects the wide majority of Paypal.com/* This XSS vulnerability is a POST
type, on the affected script "searchscr?cmd=_sitewide-search"
(The * indicates any country code)
The XSS vector successfully executes on Internet Explorer and Firefox (newest builds). It does not execute on Chrome,
but it is possible to create a custom vector to do so. If needed, I can create such a vector.
XSS Vector: '"<script >alert(document.cookie)</script> The bypass used is the ['"] in front of any HTML or script
injection (without the square brackets)
This exploit has the capability of stealing a large number of user cookies in a short period of time with cookie
stealers. If needed I can also provide a PoC for this. This can be done stealthily and would cause major mayhem if
Here is some proof of concept images:
http://pasteboard.co/2lU54Wuj.png (PNG file hosted on pasteboard.co) - document.cookie xss on firefox
Here is my personal HTTP Headers for making this exploit execute:
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0
Accept-Encoding: gzip, deflate
Thank you for your time in reading this, Shubham Shah
Screenshots to prove date of submission and actual message:
http://pbrd.co/18ugpSY <= Date submitted proof
http://pbrd.co/18ugFRZ <= Proof of message
On 05/13/2013 7:47 AM I got told by paypal that:
We regret to inform you that your bug submission was not eligible for a bounty for the following reason. Another
researcher already discovered the bug.
Thank you for your participation. We take pride in keeping PayPal the safer place for online payment.
PayPal Security Team
Once again, here are some screenshots:
http://pbrd.co/18uhtGD <= Proof of date I submitted it
http://pbrd.co/18uhMkI <= Proof of message - As I could not take a print
screen of the far right side, I included the barebones - print version
of the message - so others can verify the date I received the response.
Thanks for reading through,
I actually didn't get anything from PayPal similar to Robert, but I was
able to report the vulnerability 8 days earlier than Robert - and still
did not receive any acknowledgement.
Frankly, I was okay with it and moved on. I do not actually have much
against the bounty as I have been paid numerous times. PayPal has
honoured many of my vulnerabilities. However, I can tell you that
recently none of my security submissions have been honoured - they state
that all my newer submissions have been already reported - I have no
actual way of verifying if they have or not, so I just move on and
continue pentesting with spirit
Also, Robert, I am amazed by your work done with security regarding
Mozilla! They were awesome finds! Solid stuff man, I hope one day that I
can move onto learning more about application security.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- PayPal Bug Bounty Controversy - I found the XSS first: They still didn't pay me Shubham Shah (May 29)