Hacker News new | past | comments | ask | show | jobs | submit login
PayPal Bug Bounty - a lesson in not being a fuckup (l8security.com)
168 points by neilwillgettoit on Oct 19, 2012 | hide | past | web | favorite | 25 comments

A lovely information leak on Paypal's front-page is if you attempt to login with a banned account, and any password whatsoever, it gives you a nice error message saying that account is banned (therefore confirming the account exists, info leak #1) and also gives the current account balance (info leak #2).

I know this because my account is banned.

Why's my account banned? Because in 2006 I received an unsolicited phone call from somewhere in Nebraska claiming to be Paypal and informing me they needed to verify my account credentials. I played along with the obvious phishing attempt for a few minutes until they demanded the email and mailing address on my account to "verify I was the account holder". I told the woman on the other end to go fuck herself and hung up. Turns out it was Paypal and they banned me for failing account verification.

Fuck Paypal.

Why doesn't PayPal and other services add a Verified Paypal code to a user's account page. And train users to login during these phone calls and ask the caller for the code?

The training itself - if you're being verified, you should do the same of the caller - would have immense societal value.

IIRC PayPal used to be particularly bad about obliviously sending emails and phoning users; asking for contact info, or other info that shouldn't be communicated in such a way.

You sure it wasn't for saying "go fuck yourself"?

So what if he said that? I'm more curious if they actually went and did what he demanded. Perhaps they didn't like the experience.

Bad Luck Brian...is it you?

Anecdotally I've seen similar bad behaviors in a lot of bug bounty programs:

- I haven't submitted to PayPal, but I do have a minor eBay XSS which I reported in May (eBay doesn't have a bounty program, but they do have a responsible disclosure policy: http://pages.ebay.com/securitycenter/Researchers.html). The last time I asked if the issue was patched I was told "Not yet. We'll let you know when this is resolved." This was in June, I haven't re-tested recently.

- When CCBill had a bug bounty program I was able to gain access to their admin panel because it was publicly accessible and linked to via a directory index. That followed a story similar to the one here (I reported it, it was rejected as a duplicate, I followed up about a month later when it still wasn't patched and they quietly patched it and paid me money)

- Yandex recently launched a bug bounty program. So far I've submitted 3 or 4 issues. I've only heard about one of them: it was marked as a duplicate, which is fine, but weeks later the issue still isn't patched.

That being said there are companies like Google, Mozilla, Facebook, Etsy, GitHub, Reddit, and many others which take responsible disclosure of security issues seriously. But it does seem like certain companies need to re-examine how they handle reports from external researchers.

you're a hero of mine. thank you for this. seriously.

It's interesting you had to work with CCBill, don't know too many other (good) developers who were in that industry. I have so many horror stories with CCBill and Epoch.

I've actually submitted, and was recently paid for a Paypal XSS bug. I had the same issue with the expired PGP key and also received the new key from them manually. The whole process took around 4 months to complete for most of which I was left in the dark. The only notification received came in every 2 weeks to notify me that I was still in queue. Paypal paid me $250 initially and another $500 after the bug was fixed.The initial $250 was actually submitted to the email address on the account I was testing with (which had actually already been "Restricted") as opposed my real PayPal address which they requested and I had provided. I was actually surprised by the amount as at no point was I told how much I would receive (I had originally expected the second payment to also be $250). I appreciate the program but they have a lot to learn, in comparison the same process with Etsy took less than a day for them to replicate/patch. Google even with its size takes roughly 3-4 weeks and communicates fairly quickly throughout the entire process. I will say it was rather nice to be able to cash out the bounty in just a few days after each payment but compared to the rest of the companies with bug bounty programs, PayPal's ranks lowest in my opinion.

As an example of a good bug bounty program, my experience with Google was excellent.

If you're interested, I wrote about it here: http://blog.andrewcantino.com/blog/2011/12/14/hacking-google...

Maybe the writer should email the CEO or whoever it was that a week or 2 back was announcing Paypal's brave new era of happiness, joy and customer service.

I would if I didn't feel like it would be a waste of my fucking time.

Probably you've missed the interesting comment that I copy-pasted here on that http://news.ycombinator.com/item?id=4647980

What tool is this http://i.imgur.com/rRFW6.png ?

Thanks. Is it better than Tamper Data and XSS Me?

It's actually two different utilities. I use tamper data all the time, but HackBar is great for generating the initial GET/POST.

Correct. It's really nice just because it splits each field into an different \n.

While this is somewhat trivial, what kind of money do companies pay when you submit a security bug? What would Paypal pay?

For the Bug mentioned in this post it was $500.

PayPal pays a lot less than other companies that are serious about their security. A bug like the one in the post could be sold on the black market for thousands and thousands more.

Wow, that's barely worth anyone's time. They must not really care that much.

If they wanted to pay it like they were paying an employee... they'd just do that. They don't want to.

ideally you would think they would pay more than the blackmarket rates for the bugs. it's a capitalist economy in the bug markets.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact