
PayPal.com XSS Vulnerability - instakill
http://seclists.org/fulldisclosure/2013/May/163
======
ck2
PayPal should have put the reward into a trust for them for a year if there
were legal issues.

Kudos for them being honest with both the bug and their age regardless.

The future is probably filled with teenagers discovering things, good and bad.

Teenagers are still prosecuted as adults but legally treated as less for other
responsibilities.

~~~
masklinn
As x9k noted on /r/netsec
([http://www.reddit.com/r/netsec/comments/1f3bt1/17_years_old_...](http://www.reddit.com/r/netsec/comments/1f3bt1/17_years_old_student_publicly_discloses_a/ca6euzj))

* a 12 years old found a stack overflow bug in firefox's document.write, in 2010: [http://www.mercurynews.com/san-jose-neighborhoods/ci_1640189...](http://www.mercurynews.com/san-jose-neighborhoods/ci_16401891) (<https://news.ycombinator.com/item?id=1822117>)

* "Pinkie Pie" is an anonymous teenager, he won $60k at Pwnium, and did it again at Pwnium 2

* @CimStordal, 15 (at the time), found XSS in Facebook, Apple, Google and Microsoft sites: [http://www.internet-security.ca/internet-security-news-archi...](http://www.internet-security.ca/internet-security-news-archives-036/fifteen-year-old-teen-discovers-security-issues-in-google-facebook-apple-and-microsoft.html)

Tech has always been filled with teenagers discovering things, now more than
ever. Most bounty handlers treat them as valued contributors, Paypal — as
usual — shits all over everything.

------
lawnchair_larry
Not the first time I've seen paypal flake on their bounty. Poor excuse.

------
leke
Too young to be a hacker, but not too young to jail for being a hacker :D

------
homakov
1\. seriously, you couldn't just say you're 18? nobody cares in fact.

2\. well, fuck paypal!

3\. not a good way to show PoC. Is there antiCSRF on search form? Can I see
the whole flow?

------
tudorconstantin
Paypal being penny wise but pound fool.

The next person who'll discover something, will probably monetize it on the
black market.

~~~
schlecht
As so many do.

------
ancarda
Is there any legitimate reason to discriminate because of age?

~~~
droopybuns
The Federal Labor Standards Act has provisions about anyone under the age of
18 working for companies whose revenue is greater than $500,000. It sucks to
be a kid for a lot of reasons.

This kid just blamed Paypal for one of our country's many idiotic federal
laws.

This choice should be considered a career limiting decision by any hiring
manager.

~~~
cperciva
_This choice should be considered a career limiting decision by any hiring
manager._

Are you saying that you're holding a 17 year old student in Germany
responsible for not understanding US labor laws?

~~~
twistedpair
It makes me angry, but the law here in the US is that "ignorance is not a
defense." Oh... you didn't know our several million laws when you broke one?
Too bad, they say. Lawyers counter that if the law was simpler, they wouldn't
have jobs.

~~~
tokenizerrr
Ok. Now if only the kid actually was over there in the US.

~~~
criley
It's not that simple. When you access an American network, your usage is
governed my American laws -- period.

You make it sound like if you hacked into Paypal from Germany you'd be
completely immune to American law on the matter because you're not in the US.

That's simply not true.

------
MysticFear
The downside of Child Labor laws.

~~~
icebraining
The Chromium Security team pays bounties to adults representing minors; Paypal
could have done the same.

~~~
droopybuns
If the feds were to audit the situation you are describing, I would wager
they'd come after Google.

Google has a lot more freedom and track record for asking forgiveness instead
of permission than Paypal (i.e. wifi sniffing in google cars). They are not a
payment processing company.

This stuff is complicated. Never attribute to malice that which is adequately
explained by stupidity.

~~~
meowface
Why's that? Minors can receive compensation for work they perform.

~~~
eksith
Also, would it even be applicable to minors working from outside the U.S?

------
cft
Can you explain why this is a real vulnerability? The user himself must put
that JS in the search box.

~~~
pfg
Basically you need to put something like this on a page you control (where
"xss code" is the code triggering the XSS):

    
    
        <form action="https://www.paypal.com/de/cgi-bin/searchscr?cmd=_sitewide-search" method="post">
            <input type="text" name="queryString" value="xss code" />
        </form>
    

Then, just as the page loads, submit that form and you're executing JS on a
paypal.com page. This would work great for phishing or session hijacking.

~~~
hidden-markov
Isn't this CSRF?

~~~
unfed
Combination of XSS and CSRF.

~~~
benregenspan
This seems like it's just plain XSS - it doesn't take advantage of a user's
serverside session to forge an action on their behalf.

------
tzury
In the last 2 years, I have seen 100's of such on paypal/ebay.

Just to name a few, <http://www.xssed.com/search?key=paypal.com>

------
Hymie
Can you clarify exactly when you reported this XSS as a personal friend of
mine reported it (exact same bug with a slightly different XSS vector) and was
told it had already been found a reasonable while back.

(From memory, he also took a few photos of it also).

Would be interested to hear your response as it might give this another angle
entirely, haha.

My personal experience with PayPal isn't particularly great, I'm a security
researcher who's just turned 18, and even when I was underage I never actually
disclosed that but regardless I had the following knocked back;

(Whole heap of non-critical XSS's, and two critical stored ones, The ability
to edit titles on some PayPal subdomains (without giving too much information
out) - This vulnerability still exists but I was told it was quote "not
serious" even though the title field was vulnerable to stored XSS.

Full path disclosures, open administrative panels, whole variety of
cookie/SSL/TSL based issues which I was told did not warrant a bounty.

Also had a personal friend (the same guy who found the XSS you've posted here)
find a couple SQLi's on a few PayPal domains (post-auth) and he still hasn't
heard back from them.

I'm not going to be the guy to accuse PayPal of not playing fair here, but my
friend has also reported vulnerabilities I had previously reported and gotten
paid for them. (Might be because he reports them from his security company
email, whereas I was reporting them as an individual).

Anyway, Sad to hear you didn't get a bounty!

Also, if you don't have it here's a pretty good bug bounty list;
<http://bugcrowd.com/list-of-bug-bounty-programs/>

------
jremop
On a sidenote, does anyone have a good setup for browsing securely to avoid
issues like this? I ran with JS restricted to a whitelist for a while, but
many random websites that I have to use require it these days.

Can you use something like Ghostery to allow any site to do its own JS but not
external JS, besides whitelisted sites/externals?

~~~
ars
> Can you use something like Ghostery to allow any site to do its own JS but
> not external JS, besides whitelisted sites/externals?

That's exactly what noscript does. Use the option "Temporarily allow top-level
sites by default->Base 2nd level Domains".

~~~
jremop
Thanks! This looks like exactly the behavior I want.

------
jamesbrennan
It looks like the vulnerability has been patched. Can anyone confirm if they
can still successfully exploit this?

------
cstrat
It's weird that PayPal replaced one of the instances of </script> with
</skript>?

------
bharathwaaj
Can somebody explain how that script triggers?

------
yogevyuval
Add it to your CV

------
MarkTanamil
bitcoin user not affected

~~~
bluetooth
MtGox, BTC-e, among other big bitcoin exchanges have been hacked before.

~~~
ethanaustinite
Bitcoin is not mtgox or any other exchange. But to be fair, bitcoin itself had
its share of security issues (fixed, but who knows what the future holds)

