[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] PayPal.com XSS Vulnerability
- To: Dan Kaminsky <dan@xxxxxxxxxxx>
- Subject: Re: [Full-disclosure] PayPal.com XSS Vulnerability
- From: Zachary Cutlip <uid000@xxxxxxxxx>
- Date: Tue, 28 May 2013 09:31:53 -0400
It may also be that in many countries, including the US where PayPal is based,
it can be difficult to enter into a legally binding contract with a minor. In
many cases (with exceptions) a minor can void or exit a contract as they see
fit, so you enter into a contract with a minor at your own peril. Sometimes a
way around this is for a parent to enter into the contract on behalf of, or in
addition to, the minor.
Zach
On May 28, 2013, at 8:26 AM, Dan Kaminsky <dan@xxxxxxxxxxx> wrote:
> Heya Robert,
>
> So there's this pile of law around the world around work and kids; it's a
> rather recent development that <18 year olds can find problems that
> multibillion dollar interests are willing to pay bounties for. The laws are
> all trying to protect you from being made to pick berries or sew t-shirts
> instead of going to class and playing outside.
>
> Law may be code, but it compiles VERY slowly.
>
> In general, you can talk to people and things'll work out. Lawyerspeak
> may look daunting, but seriously, send some friendly emails, there's real
> people on the other side of those security@ addresses and they can usually
> figure out some way around pesky things like birthdays.
>
> --Dan
>
>
>
> On Fri, May 24, 2013 at 9:38 AM, Robert Kugler <robert.kugler10@xxxxxxxxx>
> wrote:
> Hello all!
>
> I'm Robert Kugler a 17 years old German student who's interested in securing
> computer systems.
>
> I would like to warn you that PayPal.com is vulnerable to a Cross-Site
> Scripting vulnerability!
> PayPal Inc. is running a bug bounty program for professional security
> researchers.
>
> https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues
>
> XSS vulnerabilities are in scope. So I tried to take part and sent my find to
> PayPal Site Security.
>
> The vulnerability is located in the search function and can be triggered with
> the following javascript code:
>
> ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
> alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
> ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
>
> https://www.paypal.com/de/cgi-bin/searchscr?cmd=_sitewide-search
>
> Screenshot: http://picturepush.com/public/13144090
>
> Unfortunately PayPal disqualified me from receiving any bounty payment
> because of being 17 years old...
>
> PayPal Site Security:
>
> "To be eligible for the Bug Bounty Program, you must not:
> ... Be less than 18 years of age.If PayPal discovers that a researcher does
> not meet any of the criteria above, PayPal will remove that researcher from
> the Bug Bounty Program and disqualify them from receiving any bounty
> payments."
>
> I don’t want to allege PayPal a kind of bug bounty cost saving, but it’s not
> the best idea when you're interested in motivated security researchers...
>
> Best regards,
>
> Robert Kugler
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/