
PayPal Bug Bounty - a lesson in not being a fuckup - neilwillgettoit
http://l8security.com/post/33876600904/paypal-bug-bounty-a-lesson-in-not-being-a-fuckup
======
meritt
A lovely information leak on Paypal's front-page is if you attempt to login
with a banned account, and any password whatsoever, it gives you a nice error
message saying that account is banned (therefore confirming the account
exists, info leak #1) and also gives the current account balance (info leak
#2).

I know this because my account is banned.

Why's my account banned? Because in 2006 I received an unsolicited phone call
from somewhere in Nebraska claiming to be Paypal and informing me they needed
to verify my account credentials. I played along with the obvious phishing
attempt for a few minutes until they demanded the email and mailing address on
my account to "verify I was the account holder". I told the woman on the other
end to go fuck herself and hung up. Turns out it _was_ Paypal and they banned
me for failing account verification.

Fuck Paypal.

~~~
jstclair
Why doesn't PayPal and other services add a Verified Paypal code to a user's
account page. And train users to login during these phone calls and ask the
caller for the code?

The training itself - if you're being verified, you should do the same of the
caller - would have immense societal value.

~~~
fnordfnordfnord
IIRC PayPal used to be particularly bad about obliviously sending emails and
phoning users; asking for contact info, or other info that shouldn't be
communicated in such a way.

------
nbpoole
Anecdotally I've seen similar bad behaviors in a lot of bug bounty programs:

\- I haven't submitted to PayPal, but I do have a minor eBay XSS which I
reported in May (eBay doesn't have a bounty program, but they do have a
responsible disclosure policy:
<http://pages.ebay.com/securitycenter/Researchers.html>). The last time I
asked if the issue was patched I was told "Not yet. We'll let you know when
this is resolved." This was in June, I haven't re-tested recently.

\- When CCBill had a bug bounty program I was able to gain access to their
admin panel because it was publicly accessible and linked to via a directory
index. That followed a story similar to the one here (I reported it, it was
rejected as a duplicate, I followed up about a month later when it still
wasn't patched and they quietly patched it and paid me money)

\- Yandex recently launched a bug bounty program. So far I've submitted 3 or 4
issues. I've only heard about one of them: it was marked as a duplicate, which
is fine, but weeks later the issue still isn't patched.

That being said there _are_ companies like Google, Mozilla, Facebook, Etsy,
GitHub, Reddit, and many others which take responsible disclosure of security
issues seriously. But it does seem like certain companies need to re-examine
how they handle reports from external researchers.

~~~
neilwillgettoit
you're a hero of mine. thank you for this. seriously.

------
zenofex
I've actually submitted, and was recently paid for a Paypal XSS bug. I had the
same issue with the expired PGP key and also received the new key from them
manually. The whole process took around 4 months to complete for most of which
I was left in the dark. The only notification received came in every 2 weeks
to notify me that I was still in queue. Paypal paid me $250 initially and
another $500 after the bug was fixed.The initial $250 was actually submitted
to the email address on the account I was testing with (which had actually
already been "Restricted") as opposed my real PayPal address which they
requested and I had provided. I was actually surprised by the amount as at no
point was I told how much I would receive (I had originally expected the
second payment to also be $250). I appreciate the program but they have a lot
to learn, in comparison the same process with Etsy took less than a day for
them to replicate/patch. Google even with its size takes roughly 3-4 weeks and
communicates fairly quickly throughout the entire process. I will say it was
rather nice to be able to cash out the bounty in just a few days after each
payment but compared to the rest of the companies with bug bounty programs,
PayPal's ranks lowest in my opinion.

------
tectonic
As an example of a _good_ bug bounty program, my experience with Google was
excellent.

If you're interested, I wrote about it here:
[http://blog.andrewcantino.com/blog/2011/12/14/hacking-
google...](http://blog.andrewcantino.com/blog/2011/12/14/hacking-google-for-
fun-and-profit/)

------
lostlogin
Maybe the writer should email the CEO or whoever it was that a week or 2 back
was announcing Paypal's brave new era of happiness, joy and customer service.

~~~
neilwillgettoit
I would if I didn't feel like it would be a waste of my fucking time.

------
johnx123-up
What tool is this <http://i.imgur.com/rRFW6.png> ?

~~~
dkordik
HackBar: <https://addons.mozilla.org/en-US/firefox/addon/hackbar/>

~~~
johnx123-up
Thanks. Is it better than Tamper Data and XSS Me?

~~~
neilwillgettoit
It's actually two different utilities. I use tamper data all the time, but
HackBar is great for generating the initial GET/POST.

------
freditup
While this is somewhat trivial, what kind of money do companies pay when you
submit a security bug? What would Paypal pay?

~~~
neilwillgettoit
For the Bug mentioned in this post it was $500.

~~~
mratzloff
Wow, that's barely worth anyone's time. They must not really care that much.

~~~
duxup
If they wanted to pay it like they were paying an employee... they'd just do
that. They don't want to.

~~~
neilwillgettoit
ideally you would think they would pay _more_ than the blackmarket rates for
the bugs. it's a capitalist economy in the bug markets.

