April 23, 2014

PayPal fixes a SQL injection vulnerability, pays researcher $3,000 reward for discovery

paypal-logo(LiveHacking.Com) – PayPal has paid out $3000 in reward money to a security researcher who found and reported an SQL injection vulnerability.  The payout, which comes under PayPal’s bounty program, went to researchers at Vulnerability Laboratory who discovered a blind SQL Injection vulnerability in the official Paypal website.

According to an advisory sent to the Full Disclosure security mailing list, the vulnerability allows remote attackers to inject SQL commands on the affected application dbms. The vulnerability is located in the Confirm Email module with the bound vulnerable id input field.

By exploiting the vulnerability  the injected SQL command is executed when the Confirm Email module reloads the page. To exploit the vulnerability a normal, low-privileged user account is required on PayPal.

Although the posting included a proof of concept, the underlying problem was fixed by PayPal within a very short amount of time once the vulnerability was discovered.  This all happened on 12th January 2013 and there is no evidence that the vulnerability was actually exploited in the wild.

Reward schemes for finding security related bugs have become common in the security industry with companies like Google and Facebook paying out substantial rewards to verifiable vulnerabilities in their software. Google recently announced its third Pwnium competition—Pwnium 3 which will  focus on Chrome OS. The search giant is making available up to $3.14159 million USD in rewards for demonstrable attacks against a base (WiFi) model of the Samsung Series 5 550 Chromebook, running the latest stable version of Chrome OS.

Since PayPal handles millions of dollars of transactions per day it is important that it has this extra level of help from ethical hackers, however as you can imagine the company doesn’t publicize any vulnerabilities found!

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks