[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] PayPal.com XSS Vulnerability
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] PayPal.com XSS Vulnerability
- From: Andre Helwig <a.helwig@xxxxxxxxxxxx>
- Date: Wed, 29 May 2013 16:11:06 +0200
Best solution, don't report the bugs.
Use the bugs to get your money.. and publish them afterwards :D
On 29.05.13 16:04, James Condron wrote:
> Hrm,
>
> I read it that the issue was still the age but that the previous disclosure
> was another reason they had found. Its sneaky and poor but I didn't read it
> as a change in reason; just an additional thing they found. It may even be
> true.
>
> The fact is they handled this poorly but whether they're lying about another
> person finding it or not had they been cleverly dishonest they would have
> gone with that in the first place.
>
> They ought really pay, though.
>
> On 29 May 2013, at 14:51, Jeffrey Walton <noloader@xxxxxxxxx> wrote:
>
>> Hi James,
>>
>>> I guess the email from ebay sorta makes it all moot anyway.
>> Its interesting how the reason code changed. On May 24 the reason was
>> Kugler was too young; and then on May 29 the reason was the flaw was
>> previously reported.
>>
>> It sounds like PayPal is lying to bring this to an end; and they've
>> lost more credibility.
>>
>> Jeff
>>
>> On Wed, May 29, 2013 at 9:22 AM, James Condron
>> <james@xxxxxxxxxxxxxxxxxxxx> wrote:
>>> Ah, but then don't forget that in a contract (which this most certainly is
>>> not- but the parallels are there) ambiguity benefits the party which didn't
>>> draft the document.
>>>
>>> If its reasonable to infer a payment, and reasonable to fail to infer an
>>> age range, I think its reasonable to get paid for it.
>>>
>>> I guess the email from ebay sorta makes it all moot anyway.
>>>
>>> On 29 May 2013, at 13:33, Julius Kivimäki <julius.kivimaki@xxxxxxxxx> wrote:
>>>
>>>> Well, they don't exactly state that they're going to pay you either.
>>>>
>>>>
>>>> 2013/5/29 Źmicier Januszkiewicz <gauri@xxxxxx>
>>>>
>>>>> Hmm, interesting.
>>>>>
>>>>> For some reason I fail to find the mentioned "age requirements" at the
>>>>> official bug bounty page located at
>>>>> https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues
>>>>> Am I looking in the wrong direction? Can someone please point to where
>>>>> this is written?
>>>>>
>>>>> With kind regards,
>>>>> Z.
>>>>>
>>>>>
>>>>> 2013/5/29 Robert Kugler <robert.kugler10@xxxxxxxxx>
>>>>>
>>>>>>
>>>>>>
>>>>>> 2013/5/29 Jeffrey Walton <noloader@xxxxxxxxx>
>>>>>>
>>>>>>> On Fri, May 24, 2013 at 12:38 PM, Robert Kugler
>>>>>>> <robert.kugler10@xxxxxxxxx> wrote:
>>>>>>>> Hello all!
>>>>>>>>
>>>>>>>> I'm Robert Kugler a 17 years old German student who's interested in
>>>>>>> securing
>>>>>>>> computer systems.
>>>>>>>>
>>>>>>>> I would like to warn you that PayPal.com is vulnerable to a Cross-Site
>>>>>>>> Scripting vulnerability!
>>>>>>>> PayPal Inc. is running a bug bounty program for professional security
>>>>>>>> researchers.
>>>>>>>>
>>>>>>>> ...
>>>>>>>> Unfortunately PayPal disqualified me from receiving any bounty payment
>>>>>>>> because of being 17 years old...
>>>>>>>>
>>>>>>>> ...
>>>>>>>> I don’t want to allege PayPal a kind of bug bounty cost saving, but
>>>>>>> it’s not
>>>>>>>> the best idea when you're interested in motivated security
>>>>>>> researchers...
>>>>>>> Fortunately Microsoft and Firefox took a more reasonable positions for
>>>>>>> the bugs you discovered with their products.
>>>>>>>
>>>>>>> PCWorld and MSN picked up the story:
>>>>>>>
>>>>>>> http://www.pcworld.com/article/2039940/paypal-denies-teenager-reward-for-finding-website-bug.html
>>>>>>> and
>>>>>>> http://now.msn.com/paypal-denies-reward-to-robert-kugler-teen-who-found-bug-in-code
>>>>>>> .
>>>>>>> It is now news worthy to Wikipedia, where it will live forever under
>>>>>>> Criticisms (unfortunately, it appears PayPal does a lot of
>>>>>>> questionable things so its just one of a long list).
>>>>>>>
>>>>>>> Jeff
>>>>>>>
>>>>>> Today I received an email from PayPal Site Security:
>>>>>>
>>>>>> "Hi Robert,
>>>>>>
>>>>>> We appreciate your research efforts and we are sorry that our
>>>>>> age requirements restrict you from participating in our Bug Bounty
>>>>>> Program.
>>>>>> With regards to your specific bug submission, we should have also
>>>>>> mentioned
>>>>>> that the vulnerability you submitted was previously reported by another
>>>>>> researcher and we are already actively fixing the issue. We hope that you
>>>>>> understand that bugs that have previously been reported to us are not
>>>>>> eligible for payment as we must honor the original researcher that
>>>>>> provided
>>>>>> the vulnerability.
>>>>>>
>>>>>> I would also mention that in general, PayPal has been a consistent
>>>>>> supporter of what is known as “responsible disclosure”. That is,
>>>>>> ensuring
>>>>>> that a company has a reasonable amount of time to fix a bug from
>>>>>> notification to public disclosure. This allows the company to fix the
>>>>>> bug,
>>>>>> so that criminals cannot use that knowledge to exploit it, but still
>>>>>> gives
>>>>>> the researchers the ability to draw attention to their skills and
>>>>>> experience. When researchers go down the “full disclosure” path, it then
>>>>>> puts us in a race with criminals who may successfully use the
>>>>>> vulnerability
>>>>>> you found to victimize our customers. We do not support the full
>>>>>> disclosure methodology, precisely because it puts real people at
>>>>>> unnecessary risk. We hope you keep that in mind when doing future
>>>>>> research.
>>>>>>
>>>>>> We acknowledge that PayPal can do more to recognize younger security
>>>>>> researchers around the world. As a first step, we would like you to be
>>>>>> the
>>>>>> first security researcher in the history of our program to receive an
>>>>>> official "Letter of Recognition" from our Chief Information Security
>>>>>> Officer Michael Barrett (attached, will follow up with a signed copy
>>>>>> tomorrow). We truly appreciate your contribution to helping keep PayPal
>>>>>> secure for our customers and we will continue to explore other ways that
>>>>>> we
>>>>>> can we provide alternate recognition for younger researchers.
>>>>>>
>>>>>> We'd welcome the chance to explain this all to you first hand over the
>>>>>> phone, please email us at this address with a number and good time to
>>>>>> reach
>>>>>> you and we’d be happy to follow-up.
>>>>>>
>>>>>> Thank you,
>>>>>> PayPal Site Security"
>>>>>>
>>>>>> It's still curious that they only mentioned the first researcher who
>>>>>> previously found the bug after all the media attention...Nevertheless I
>>>>>> appreciate their intentions to acknowledge also younger security
>>>>>> researchers, it's a step in the right direction!!
>>>>>>
>>>>>> Best regards,
>>>>>>
>>>>>> Robert Kugler
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
--
SysEleven GmbH
Umspannwerk - Aufgang C
Ohlauer Straße 43
10999 Berlin
Tel +49 30 233 2012 0
Fax +49 30 616 755 50
http://www.syseleven.de
http://www.facebook.com/SysEleven
Firmensitz: Berlin
Registergericht: AG Berlin Charlottenburg, HRB 108571 B
Geschäftsführer: Marc Korthaus, Thomas Lohner
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/