November 24, 2014

PayPal bug bounty program not working as well as it should

(LiveHacking.Com) – It appears that the PayPal online payment service isn’t as secure or as flexible as they would like us to believe! In a recent email exchange between SC Magazine and Neil Smith, who works for Texas-based Zing Checkout, Smith revealed that he has found authentication errors with one of PayPal’s sites and that PayPal is being a bit grumpy when it comes to payouts for reporting these genuine and worrying flaws.

According to a blog post written by Neil, he discovered an Authorization bypass issue at the end of June along with a cross site scripting error. It took PayPal until the end of August to acknowledge and pay for the XSS error but the Authorization bypass was declared as “invalid”.

Reflecting on his feelins when he originally found the error Neil wrote: “At this point, I’m giddy. This is obviously going to be big. At this point, I realize I’m on the verge of crossing the line when it comes to the term of the bug bounty program, so I start writing up my report and look forward to seeing what comes of this.”

Since PayPal didn’t see the issue as big, Neil asked the online payment company if he could fully disclose the issue, but it said no! Which is worrying because if the bug is invalid it shouldn’t care!

The good new is that PayPal has since paid for his bug disclosures and PayPal’s chief security officer Michael Barrett has begun working with him to identify further holes.

“For the record, Michael Barrett is a great guy who I have the utmost respect for, and I have had quite a bit of correspondence with him directly after my blog post. Also, since the blog post, per the request of Michael Barrett, I combed back through the paypal QA netblock since I first took a look at it over the summer, and have several new outstanding bug reports that are actively being addressed (a few of which are much more serious than what my post covered),” Smith said.

PayPal’s program is new and it is allowed the occasional foul up, but PayPal need to learn that good communication with the security researchers is key to a successful bug bounty program.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks