Hacker News new | past | comments | ask | show | jobs | submit login
Hacking PayPal Accounts with one click (yasserali.com)
324 points by butwhy on Dec 3, 2014 | hide | past | favorite | 99 comments

Pivotal paragraph: "We have found out that an Attacker can obtain the CSRF Auth which can be valid for ALL users, by intercepting the POST request from a page that provide an Auth Token before the Logging-in process, check this page for the magical CSRF Auth “https://www.paypal.com/eg/cgi-bin/webscr?cmd=_send-money”. At this point the attacker Can CSRF “almost” any request on behave of this user."

He captured a cross-site request forgery token which was valid for all users.

Someone (or even more frightening, multiple someones) at Paypal didn't understand the point of CSRF tokens. A new random value for each request is essential to maintain the integrity of the measure. CSRF tokens should never be used as a type of global authentication value. The fact that this made it to production is mind-blowing.

EDIT: Looks like I am wrong on HN. Damn.

Not necessarily.

CSRF tokens don't have to be unique per request. That's useful for things like preventing double submissions, ensuring order, or invalidating requests that are still in an active session but have timed out. However, it isn't necessarily more secure than having a secret tied to a user session and generating a token with that secret (which would, by itself, mean that any single token could continue to be used for the life of the session).

See OWASP's recommendation[0] which includes:

  In general, developers need only generate this token once for the current session. After initial generation of this token, the value is stored in the session and is utilized for each subsequent request until the session expires. When a request is issued by the end-user, the server-side component must verify the existence and validity of the token in the request as compared to the token found in the session. If the token was not found within the request or the value provided does not match the value within the session, then the request should be aborted, token should be reset and the event logged as a potential CSRF attack in progress.
[0]: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(...

Don't worry, everyone on HN is wrong.

This is quite paradoxical. :)

It's just not true, i.e. false.

Assume that everyone was lying. Then this statement is true, but as a lie it must be false. Contradiction. So this case is not possible.

Asumme that not everyone was lying. E.g. some other post is false. Then this statement is false. This fits together if you have another post that is false.

http://aeon.co/magazine/philosophy/logic-of-buddhist-philoso... found this on hn a while ago. You might find this relevant to the logical paradox you are exposing

This is why I can't take philosophy serious anymore.

Examples like the "this statement is false" thing are just rife with equivocations and other blatant nonsense. Yes, there is such a thing as "neither true nor false", but every example for "both true and false" I've seen is based on lousy thinking and semantic games.

Also, as a JS programmer, the distinction between true/false/neither/ineffable is very familiar (i.e.: true/false/null/undefined, null denoting the absence of a value and undefined denoting the absence of a definition -- though of course in practice the distinction is rarely necessary resulting in a lot of confusion and unnecessary double checks).

It's got nothing to do with "mysticism". It's just arm chair linguistics.

Not true, I once saw a comment on HN that was correct.

Which one?

The one that said all are incorrect.

> A new random value for each request is essential to maintain the integrity of the measure

No it isn't - Having CSRF tokens be unique per-session is perfectly adequate.

From what I can see, it should be good enough to just use the same session id which is stored in the cookie as the CSRF token. If an attacker has your session id, then CSRF is the least of your problems. I don't know why people come up with more complicated schemes... Am I wrong?

Yeah, you can. There's a couple of reasons you might not want to but there's nothing seriously wrong with doing that.

There's a good explanation here: http://stackoverflow.com/a/25475141/240921

That would make tokens valid across different applications that share a session. A compromise of one application would then jeopardize all your applications.

Just reduces the risk surface a bit.

A compromise of any session ID is more serious than losing the CSRF token anyway. Once I have your session ID I am you from the POV of the server, so who cares about the CSRF token?

Also, you may well have different session IDs across different applications anyway - pretty good idea, if you want to be able to selectively deauthorise logins.

The problem with that is that, if you steal the CSRF token (which is easier to do than a session ID hidden in a cookie), it's game over.

I'm having a hard time understanding this. My mental model of the situation is that websites figure out which user is interacting with them via a "session" cookie, which is only set once the user successfully authenticates. The CSRF "token" is a value associated with this session (that may or may not change on every request) that's included with all client-side requests as a way to guarantee that whoever is making the requests is doing so from the site's pages. For instance, if I log in to Facebook, then in a new tab open up 'somemalicioussite.com', the malicious site might make force my browser to make a request to 'facebook.com/some-private-api-endpoint' to try to figure out who I am. Because it doesn't have the CSRF token, it fails.

I've never heard of using the CSRF token itself to answer the "who is this user" question. Has PayPal been using a single value for both the session cookie and the CSRF token? That seems fundamentally broken to me but it's more likely I'm misunderstanding the bug.

Note that the author does not suggest that the global CSRF token can be exploited without another user's intervention; if I understood the article correctly exploiting that token for evil would still require getting someone to click your malicious link (i.e. performing a CSRF attack)

Ah, perfect, that's the part I was missing. Just sat down and watched the video demonstration (https://www.youtube.com/watch?v=KoFFayw58ZQ#t=200) – at 3:20 he navigates the victim's browser to a site controlled by an attacker. Thanks!

There is no reason why a session can only be created after login. Think about using Amazon.com anonymously. You can add books and things to your cart without logging in. Those are stored in an anonymous session that is unique to you.

Furthermore, CSRF mitigation does not have to depend on a session existing. The CSRF token value can written to a separate cookie unrelated to the session, which value can be randomly modified with every page load. For every page view, the CSRF token on the form would be different, and would be matching an ever-changing CSRF cookie value.

    > There is no reason why a session can only be created
    > after login.
You're right, I didn't type carefully above – I mean that a session cookie can only be used to identify the current user of the website with an existing customer once the user has authenticated with the customer's credentials.

In your second scenario, while of course you could store a random value in a "CSRF cookie" on every page load, of what use could it be if you don't also store the "last CSRF cookie value" somewhere on the server and compare against that on new requests?

Paypal should literally pay upwards of $100k for a bug like this. This is a game changing systemic security issue putting literally every single customer at risk, as well as put at least a minor dent in a the brand of a $40 billion dollar company. $10k is a joke.

Wouldn't say $10k isn't nice. Rather, I'd say that history has told us people are susceptible to money. And if someone can choose between $10k and selling information worth much more, let's just conservatively say without pulling numbers from my ass, people would choose the latter option more than Paypal ought to want them to, and that this costs them way more than the $10k they'd otherwise lose. I think that's a pretty fair statement.

Anyway, about the issue itself... Really don't know what to think, it's pretty insane, puts a lot of things into perspective once more. (the whole 'if Paypal can't secure xyz, can my local hospital keep my health records safe, am I equiped to handle my own digital security responsibilities?' train of thought).

Oh if anyone feels like thinking this through, how bad do you guys think this hack could have turned out if deployed by a malicious group? Paypal is pretty walled in with various limits, fraud checks, frozen accounts, multi-day bank transaction processing, reversible transactions, partnerships with banks to do chargebacks there, and they do KYC on every account. The offramps are therefore pretty limited unless you completely expose your identity. Of course they could buy a ton of stuff online, but how anonymous would the shipping be, and what could you buy with Paypal that would be liquid enough, would ship quickly and could be received fairly anonymously (you don't want to use this hack and end up with 100 playstations and on 3-day shipping to your own home and have police arrive before the goods do!). I wonder what the best plan of action would be, I can't really come up with any solid way to actually walk away, anonymously, with a ton of money but surely there must be one. Indulge me if you want!

Paypal Prepaid cards [1] are available instantly at retailers nationwide. You buy a physical card for ~$5 and can do instant PayPal loads of up to $300 each day with a monthly rolling limit of $2,000. You can literally take these cards to ATM's and get cash. In my experience the non-instant loads - up to $7500 - take less than 24 hours to post to the card even though it says 3-5 business days.

So, you buy some Paypal Prepaid cards, activate them and setup PayPal accounts with info bought from hacker forums, transfer money from hacked accounts to the new accounts, and use both the instant and regular Paypal load feature to load the PayPal prepaid cards to get as much cash out as possible. That card as a $940/day ATM limit, so even with 10 or 20 of them you're talking about real money for most of these criminal types. I wouldn't do this obviously, but you asked how someone might take advantage of it.

[1] https://paypal.com/prepaid

>> USA PATRIOT Act — IMPORTANT INFORMATION ABOUT PROCEDURES FOR OPENING A NEW CARD ACCOUNT: To help the government fight the funding of terrorism and money laundering activities, federal law requires all financial institutions to obtain, verify, and record information that identifies each person who opens a Card Account. What this means for you: When you open a Card Account, we will ask for your name, address, date of birth, and other information that will allow us to identify you. We may also ask to see a copy of your driver's license or other identifying documents.

I also wonder if they have some verification on these cards before they're activated. (e.g. the card activation number is sent to your fake address.) It'd definitely be a solid plan IF you could create identifying documents based on stolen identities you can buy online that can fool a 17-year old cashier at a retailer, like an ID card. This is probably not trivial, but very far from impossible. And then use those cards without having to connect them to a verified Paypal account and without needing to activate the card. Nice idea!

Would need a ton of prep though if you want to walk away with more than $10k. If I had to choose (as an evil person, say) I'd still take the bounty over this idea.

You can buy the cards at retail with no ID at all. When you get home, you need to activate the card online. To do that all you need is a valid DOB/SSN/address/name combination (checked against credit header file info). They only ask for copies of ID's etc. if their online activation system can't automatically verify the info through the credit bureaus. Fortunately, full profiles with this info are available on the cheap on Russian hacker forums (less than $5 per record). They do send a permanent card in the mail about 10 days after activation, but the temporary one bought in the store and activated online is all you need to take cash from ATM's. By the time the permanent card arrived at the address you used to activate it, you would have long been done using the account.

Wow, seems pretty fool-proof then. Always thought even if you could grab a Paypal account, the damage you could do would be pretty limited due to reversible transactions, payout to the user's bank account only, limited ways to buy high value online goods instantly etc.

I wonder how successful their card program is and what percentage of their fraud is generated by it. We're seeing businesses massively shift away from cash, as are governments. But I also thought the same was happening with cards to a smaller extent. Wouldn't have expected a physical-card push from a digital money company like Paypal. I guess cards (physical or stored as digital credentials like Appe Pay) are here to stay for quite some time.

I expect for most people^, their moral codes would be more of an obstacle to exploiting this than the fear of getting caught, but I still agree with you that $10k sounds low and that there should perhaps be an exception to the maximum for bugs of this severity.

As far as the best way to remove money from the system, I would think the first step would be buying bitcoins with paypal (perhaps from a bunch of different localbitcoins sellers), then using a mixing service to anonymize them, and hold onto them for a reasonably long period of time before spending. I haven't looked into it in any detail myself, but I'm sure there are "best practices" out there for anonymizing your bitcoin transactions.

^I should clarify that I would be one of those people! That doesn't make the intellectual exercise of thinking through how one would pull it off less interesting though.

I agree with the parent comment that $10k is low for a bug of this severity. However, it's a step in the right direction that a non-trivial bounty was given, and it seems the person who found and reported the bug was satisfied with the reward. IIRC, Yahoo didn't offer monetary rewards at all until recently after the t-shirt scandal. I reported the first item duplication method I discovered in a very popular online game, and received a virtual pat on the back as a reward. I didn't even get a beta invite for a new game or expansion pack. I understand if a smaller company or open source game couldn't afford to pay a monetary bounty, but this company could definitely afford it.

I used the next dupe methods I found in that game and another more popular game by the same company to make money selling items to players. I should have reported all of the bugs instead of exploiting them regardless of the insulting lack of any bounty. We desperately needed money, and I gave in to temptation. I know that I was wrong, and hopefully my comment won't evoke responses that focus on my mistake alone. I certainly would've strongly considered reporting the bugs for a monetary bounty above $1k, the freedom to publicly explain the dupe method after the bug was patched, and a small acknowledgement from the company that I had found the bug.

Thought experiments about the most effective way to exploit a bug are a great way to discover places that flags should be set to trigger notifications of unusual activity in order to mitigate damage from exploitation. If the company that developed the game had put more effort into considering the question, "If a dupe method did exist in this game, what would be the most effective ways to profit from it?" then I wouldn't have been able to exploit the bugs for nearly ten years.

> then I wouldn't have been able to exploit the bugs for nearly ten years.

Holy shit, what game was this and in what ballpark did you raise selling duped items for nearly 10 years!? That's a story right there. Did you ever get caught?

As for rewards in virtual games... it's just a lot lower priority I guess, as it's all virtual. There's no direct loss to the company if someone is able to dupe items, unless it's really widespread, but in that case it's very noticeable quick (system wide deflation, fewer boss runs / grinding, rapidly rising item counts). It upsets the game balance and affects enjoyability (which indirectly affects subscriptions and thereby company profits), but it's not direct money out of the company's pockets (unless it's a shitty game where you can directly buy items with real money. In that case it can dampen revenues fairly quickly).

> flags should be set to trigger notifications of unusual activity in order to mitigate damage from exploitation.

I was an admin for a while and had access to every single chat log. It's pretty scary how privacy in virtual worlds doesn't at all exist, nor is there any debate about it that I know of. I'm sure companies like facebook or WoW have restrictions and various policies in place, but in a lot of games an admin will be able to simply read your chat. I frequently had to look into reports of things like racial slurs in private chats to warn or ban users (and yes, people indeed fake-reported other users they hated, so I always had to check the logs for evidence), and just scrolling through the convos you'd scroll past the craziest private things. In my early teens a decade ago now I couldn't help but read some of them. (morally pretty embarrassing to say). Anyway, as to the relevance of all this, needless to say every.single.time an exploit was found, you'd have users telling their friends in private chat IN game. You could search the logs for 'admin' or 'secret' or 'exploit' and you'd find messages like this 'Dude, keep this a secret cause admins will find out, but I just found a money duping exploit'. Anyway no admin ever did searches like this in practice, but it was pretty easy to build a flagging system. We eventually did build a proper flagging panel with charts of total credits in the game, or total unique boss items, or total XP earned. There'd trends for the time of the day in the US/Europe mostly, and trends for the day of the week (monday low, saturday high), and you could easily see deviations from that with exploits. In short, everyone always tells their friends, and not out-of-game either, and they almost always go full retard and become insanely wealthy in the span of days. Also, when veteran players complain of another player hacking, it almost always ends up being true after tons of denial. And it usually takes long to fix because almost half of the time the hacking player is a veteran player who is respected, trusted, well-connected and at times in partnership with admins who play themselves. Man online games are awesome, it's like the bold and the beautiful sometimes haha. Haven't played any in years though, wish I had the time I did as a teen! Feel free to share your stories! :)

> hopefully my comment won't evoke responses that focus on my mistake alone

Really don't care :P It's a game, and somehow, the drama of stuff like this is what made persistent online games so much fun. (talking about games like EVE online here, for games like counterstrike cheating is simply never fun or funny). For example check out this video: https://www.youtube.com/watch?v=XrYe_4vHzgE Mostly based on a story of two corporations vying for wormhole space based on cheating, completely awesome and epic

The game where I reported the first bug was D2. The game I was referring to in the last paragraph was WoW. I used 4 different methods over nearly 10 years to exploit the same bug. The first 3 produced an error message when the item duplication was unsuccessful. It was only unsuccessful ~10% of attempts, but I was careless enough to cause too many error messages to occur in a short period of time. I believe that's why they were patched. However, the game devs didn't investigate enough to realize my intent when causing those error messages. So they neither took action against my accounts for using the exploit (though my accounts were closed for exchanging items for real money), nor did they ever fix the underlying bug that allowed item duplication. They just fixed my methods for exploiting the bug. Then, I'd find a new method and continue.

I made enough to pay off a car, credit card debt, student loans, build a small chunk of savings, make a small down payment on a house, and live free of financial stress for a few years. It helped me immensely when I was desperate, but it didn't end very well. I wrote more about it in my blog listed in my profile. Here is an HN discussion about one of the posts that generated some interest: https://news.ycombinator.com/item?id=8439648

I believe he's talking about Diablo 2 (the timeframe works, and the game is notorious for duping), in which Blizzard provides shady third party companies with items, which are then sold to users.

> I would think the first step would be buying bitcoins with paypal

This is where your plan fails. Since it is very easy to rollback the payment with paypal, no one is going to sell you bitcoins in exchange for it, except for tiny amounts.

If you look at localbitcoins for example, there are very few sellers who accept paypal, all of them limit trades to very small amounts (mostly $100-200) and require high feedback scores and some form of KYC

Excerpt from one of the offers: "Due to previous fraudulent transactions. I can only sell you bitcoin via PayPal if you take a photo of yourself holding valid U.S. government issued ID where your face matches the photo. "

Ah, I see. Didn't realize it was that easy to reverse Paypal transactions (and I've obviously never tried to buy BTC with Paypal.) Back to the drawing board I guess! Any online casinos still take Paypal?

Don't think that this one will get you too far. Buying any significant amount of bitcoin using Paypal is next to impossible, unless you're a highly trusted party (e.g. friends or family or a reputable business like SecondMarket, but they wouldn't use Paypal anyway). It pretty much doesn't happen (apart from scams where a scammer will try to buy from unsuspecting users, then reverse the Paypal transaction and then lie to Paypal pretending they didn't buy anything. Paypal will side with the bad guy in 999/1000 cases, not because they're evil but it's policy. In fact, paypal shuts down bitcoin sellers by freezing their account.

Attacking company reputation is more valuable than any stuff you manage to buy with a bug like this. You just need to snatch some transactions from enough people and leak the story to the media. You do not actually need to monetize those transactions.

Valuable to a small handful of competing corporate interests, maybe, but useless to the rest of us. What are you suggesting, that Amazon might agree to funnel you a large sum of money under the table in return for divulging something like this?

As a thought exercise - I suppose you could short eBay stock and then leak the information underground. I don't think this would be considered insider info by the SEC and if you let other people do the actual stealing from accounts you haven't violated laws in that regard. When paypal finally discovers the problem and fixes it, you inform the media what happened (assuming paypal doesn't fess-up) and then buy back your shorted stock after the inevitable drop in stock price. Maybe someone with more knowledgeable could comment if if/where this might be illegal?

I'd assume there's rules against this sort of stuff, perhaps falling under bigger items like aiding and abetting in a crime.

And I'd definitely assume it'd be considered insider trading.

But it's a very clean way. There aren't really any direct traces to you as you didn't enter into any actual agreement or conversations with anyone. You'd just dump information one sided, that's pretty easy to do anonymously. And if you look at the volume of trade on eBay, it'd be very unlikely they'd be able to pinpoint who was the source of the hack based on trading alone, if they even look for a link between traders and the hack in the first place. And even if they can reasonably say it might be you cause you just shorted $250k out of the blue (still puny volume for a stock like this), there'd be no way to prove anything else.

The biggest issue I'd say is having been tracked by server logs while finding out about the security leak.

As for whether it's a good plan... I wouldn't take it myself if I was evil. First it's probable that wherever you leak it underground to, will go to Paypal and collect a bounty. It'd be a quick fix probably in a span of mere hours after they become aware of it. It wouldn't show up on the price charts much if at all, I mean this story went pretty unreported, right? Even if you put of $100k, the price may drop 1-3%, that's peanuts for an opportunity like this, and it requires a shitton of spare money. Even if you leverage it, you might just coincide it with some big news. For example, since he reported the bug publicly, the price has risen by 9-10%. If you shorted that with leverage, ouch.

Safe but not very effective I think, good try in any case!

Since you could time the release of the news, put options with relatively short expiry could get you a much larger windfall than shorting the stock. Regardless though I'm sure this would be illegal in several ways. Even if you don't hack them yourself, you're going to be responsible for sharing the info. (And if you're just worried about getting caught, I wouldn't be surprised at all if the FBI looks at suspicious trading surrounding an incident like that, which might be all that's needed to start them on your trail.)

That would be quite interesting. Leaking it to the media so they can report that the hack is happening right then and has not been identified by Paypal yet. Panic!

Their bug bounty is $10k, plus you get to talk about it, plus you don't go to jail. That's a pretty compelling package when compared to the $100k but your suspicious activity is forwarded to the cops.

Or you sell the exploit to some organized crime ring and are not the one on the hook for the actual attack. Not that I agree with that, however my point is that there are people out there that purchase exploits like this.

You could probably make a lot more from a government agency and still not go to jail - http://readwrite.com/2012/10/04/the-shadowy-world-of-selling...

And at $100k, there would be a lot fewer people taking the jail-and-silence risk.

Plus you don't have to figure out how to hide $100K on your taxes.

I personally would take the 10k because the reputation from finding a bug like this alone is worth more than that, but pretending I wanted to go black market, I can't imagine it would be particularly hard to launder money as long as you paid the taxes that came with that money.

Reminds me of how PayPal implemented 2FA, then someone immediately found a bypass since they only made 2FA a requirement for a particular web login page instead of EVERY login entry-point (ie mobile or APIs). PayPal's security continues to be embarrassingly bad.

Not only that - I recently spent about one week of constant back-and-forth with their developer support, because I couldn't pay with Paypal on certain sites.

Turns out their digital goods checkout is broken for accounts that have 2fa enabled. Their response was "WONTFIX, disable 2FA".

They're not laughably bad, they have had to manage a huge, aging software system and build infrastructure on top and around it.

They may have made many mistakes, but some of the smartest people I know work there, and most of the work they do is first-class.

> most of the work they do is first-class

Are we talking about the same PayPal?

Have you seen their web interface or their APIs? It hasn't evolved at all in 10 years. It's the same convoluted, bloated, and slow web experience as it was in 2005. Just because a few smart people work there doesn't mean the project is outputting quality software.

Countless software companies have been able to take aging and massive codebases and evolve them to more modern usable states. Most of the time these big companies such as Microsoft or Oracle still output bad software but at least they show signs of evolution and investment. From an outsiders perspective Paypal is particularly bad at this, their software quality and UX has been in a perpetual stasis while Stripe and others eat their lunch. And that's not simply because of their famously bad customer service.

I'm not a PayPal fan - but at least on my account, the UX has changed significantly since 2005 (especially last year or something), and I could find everything I need for my accounting easily.

The general consumer interface is great now. The business interface, however, is not. It's still the same slow UI from 2005. Actually, it feels like they are still running on servers from 2005. Simple (email, date range, etc...) searches take FOREVER.

The business interface is also upgraded unless you decided to opt out.

Can't say I noticed an opt-in, thanks for the info.

Ah, I thought I was automatically upgraded but it was a while ago.

    >> some of the smartest people I know work there
This ridiculously incompetent security flaw suggests otherwise.

The interesting thing is there was a time when PayPal was successful partially due to their excellent security. The story that some ex-PayPal people who are at Palantir tell is that PayPal was very successful in blocking fraudulent transactions where other early online payment players were not. This allowed them to keep their margins higher (not losing to fraud) and spend their money on improving the product.

I have no inside information here, this was told to me by Palantir people when interviewing there.

That sounds like an engineering culture that doesn't let their engineers do things properly. 'It takes too much time and political clout to properly secure our infrastructure, let just do it on one chokepoint!'

I think I speak for us all when I say ???????!!!!!!!. This exploit is as big as they come. They should have paid him many times their $10k maximum bounty in exchange for an NDA, as I am sure I am not alone in saying that this shakes my confidence in PayPal. While I have never trusted them as far as random account freezings etc., I didn't ever expect something as fundamental and serious as this. When you think of all the engineers they must have dedicated to security, it is almost unfathomable that this was missed.

Security is hard. I think the more important thing here is that Paypal fixed it quickly and honored the bug bounty. I'd be more worried if they tried to shove it under the rug.

> Security is hard.

Secuirty is hard. But activating tokens before a user has actually logged in is a breathtakingly incompetent, fundamental design flaw. How such code ever made it into the production code base of a company responsible for protecting billions of dollars along with financial information for a significant portion of the world is incomprehensible. It makes me wonder what else is lurking over there.

10K for this kind of vuln is very cheap on their part.

This is serious when you consider that they are moving millions of transactions every day...

CSRF valid for ALL users, ouch!

Their bounty program[1] states:

> We may pay beyond the range at times when bugs are found to have significant risk.

If they don't consider this a significant risk, I'm not sure what is.

[1] https://www.paypal.com/webapps/mpp/security/reporting-securi...

Perhaps it is so they don't give staff incentive to leak a vulnerability. If they offer 100k it may be more tempting for a staff member to tell a friend of a friend, and share the prize. It would be stupid of course, but possible.

Then just allow staff to also claim the prize? Seriously, given the risks and the money rewards, it's a bargain.

It may encourage sloppy coding, because the worse the code, the more potential for your teammates to win a prize.

However a separate salaried 'cracking' team in another city, with bonuses for exploits found might work.

If it's any consolation, 10k USD is about 14x the median monthly salary in Egypt.


Consider what the finder could have sold the exploit for, and the damage it could have caused.

I think given that you could effectively steal from any account for which you knew the email was worth significantly more than 10k.

> you could effectively steal from any account for which you knew the email

If you succeed in CSRF attack him, that is.

So what? The value of the vulnerability to PayPal does not change whether the finder is in Egypt or Norway. PayPal should pay based on its perceived value, and not the finders.

Paypal's Bug Bounty program, for the curious: https://www.paypal.com/webapps/mpp/security/reporting-securi...

Paypal detects that I'm in Brazil and gives me the brazilian version of the website, in which the link is 'Not Found'.

There is no locale on url whatsoever. I have to manually change my country to United States in their menu and then I'm able to access the url. So annoying.

Why not showing the page with a simple warning such as "Sorry, we don't have this content in your language, here's the original:"...

This kind of thing is so frustrating. It's one of those features where "somebody got a raise for that", except it's so hostile towards users. Google is absolutely the worst. Installed an app in one country that's not available in another? Cool now you get a 404 in the play store.

In Denver, Google has also at times decided I'm in France, then Hungary, with absolutely no way to fully disable it on sites like YouTube or Google.com (you always get the links and logos, and alt-text for images is still in the "local" language). Play Store shows certain section subtitles in one language, even though Android and everything else is in another.

I recently went to buy some books for my kids. The publisher's site detected I was in another country, and hid the book information with a page suggesting I contact a local reseller. Despite that I was just visiting another country at the time. No way to override.

Chrome would do the same on install, and offer no way to remove the default search engine from the localized copy. You could change to another one, but not fully delete it. Meanwhile, the entire UI stays in whatever language they decided. So despite using Windows in English, browser in English, etc. etc., Google though it'd be cool to run in Spanish, or Russian, or whatever, based on your IP address. Moronic.

Netflix has similar problems - the site does not respect language preferences completely and things like search autocomplete will use the "detected" language. Traveling and contacting support? Cool. Despite every indication you're using English, they'll route you to support in a local language. It's insane.

The one thing the HTTP spec got right, Accept-Language, and everyone just ignores it and implements this shitty geo localization + language handling. And they think it's a feature, and every time someone implements this, they probably get a pat on the back and a raise for doing something intelligent. FFS.

From what I've understood about Paypal, international entities are more or less completely separate from Paypal US (hence these sorts of events).

Commonly it was API features that work subtly differently depending on the region of the world you're in, but help pages also end up with completely different URL schemes.

They cannot be: I had an account at the american Paypal and it was automatically transferred to Brazil when they opened here.

Huh, they just told me to open a new account in Europe...

That's not an excuse really, they could easily have gotten that sorted if they PayPal HQ (US I guess?) wanted to.

Doesn't work in France either :(

It's a bad link, doesn't work in the US either

Works fine for me

Is it just me or are these bounties really low. Unless I'm misunderstanding identification bypass could be incredibly damaging for the company and their customers, but it's only got a $3000 reward?

In my personal opinion you want to balance bounties against how much money that the person could receive using the exploits, vs the amount of trouble they could potentially get into.

It's insultingly low. Auth bypass is easily worth 5 or 6 figures if you can use it to transfer money.

You overestimate the value of these bugs to the black market. There is no shortage of hacked PayPal accounts for sale on the various dark net markets because the hard part is getting money off the accounts. PayPal will flag a transfer for a dozen different reasons. If you don't login to the hacked account from an IP close to the location of its owner; if you immediately attempt to transfer money off the account to a bank account; etc.

They're a "here's a token of thanks", not a "please don't sell it".

That's kinda hard to evaluate not having actually do it. That said, such a bug, if works as expected might be much more highly priced in the black market.

The dev posted in the comments that he received $10,000

Oh man. Security is hard, and I expect security flaws to be found in almost any software.

But these don't _seem_ to be flaws that you'd have if you were spending as much money/resources/prioritization on security as I'd expect a business in Paypal's business to be spending.

Am I wrong?

Maybe, but maybe it is strategy rather than money.

This exploit is the result of several bugs in different systems coming together into one "super bug." If you have the same developers who wrote the code go back over that same code they may not spot the bugs.

Microsoft do code reviews but they also do fuzzing, unit testing, path diagrams, and other methods with the hope that each type of testing will uncover different bugs. However when you have bugs caused by multiple systems working together badly, it might be better solved by policy (e.g. this ONE piece of code does all of our CSRF from now on, no re-implementing it five different times).

well, by definition you're wrong.

it wouldn't surprise me if companies such as paypal have moles who actively compromise software through subtle means. if it can happen in the government it can definitely happen in a huge software company.

Possibly even -by- the government. No tinfoil hat needed; thanks, NSA!

Thanks for this. Another reason for me to get off Paypal as fast as I can. I understand that vulnerabilities can exist with any system but Paypal just continues to amaze. Unfortunately, I still have 3 customers on paypal :(

Anyone know what the interception proxy/tool he's using in the screenshots is? I could really have used that a few days ago

It's Burp Suite. http://www.portswigger.net/

Scary stuff. My Paypal was compromised earlier this week; wondering if this vulnerability or one like it was used.

I can only imagine how much money he got for this one. Very serious bug given how easy it was to reproduce.

Says in his blog comments he got paid $10,000

Should have used js, fuckin noobs

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact