April 19, 2014

PayPal fixes a SQL injection vulnerability, pays researcher $3,000 reward for discovery

paypal-logo(LiveHacking.Com) – PayPal has paid out $3000 in reward money to a security researcher who found and reported an SQL injection vulnerability.  The payout, which comes under PayPal’s bounty program, went to researchers at Vulnerability Laboratory who discovered a blind SQL Injection vulnerability in the official Paypal website.

According to an advisory sent to the Full Disclosure security mailing list, the vulnerability allows remote attackers to inject SQL commands on the affected application dbms. The vulnerability is located in the Confirm Email module with the bound vulnerable id input field.

By exploiting the vulnerability  the injected SQL command is executed when the Confirm Email module reloads the page. To exploit the vulnerability a normal, low-privileged user account is required on PayPal.

Although the posting included a proof of concept, the underlying problem was fixed by PayPal within a very short amount of time once the vulnerability was discovered.  This all happened on 12th January 2013 and there is no evidence that the vulnerability was actually exploited in the wild.

Reward schemes for finding security related bugs have become common in the security industry with companies like Google and Facebook paying out substantial rewards to verifiable vulnerabilities in their software. Google recently announced its third Pwnium competition—Pwnium 3 which will  focus on Chrome OS. The search giant is making available up to $3.14159 million USD in rewards for demonstrable attacks against a base (WiFi) model of the Samsung Series 5 550 Chromebook, running the latest stable version of Chrome OS.

Since PayPal handles millions of dollars of transactions per day it is important that it has this extra level of help from ethical hackers, however as you can imagine the company doesn’t publicize any vulnerabilities found!

PayPal bug bounty program not working as well as it should

(LiveHacking.Com) – It appears that the PayPal online payment service isn’t as secure or as flexible as they would like us to believe! In a recent email exchange between SC Magazine and Neil Smith, who works for Texas-based Zing Checkout, Smith revealed that he has found authentication errors with one of PayPal’s sites and that PayPal is being a bit grumpy when it comes to payouts for reporting these genuine and worrying flaws.

According to a blog post written by Neil, he discovered an Authorization bypass issue at the end of June along with a cross site scripting error. It took PayPal until the end of August to acknowledge and pay for the XSS error but the Authorization bypass was declared as “invalid”.

Reflecting on his feelins when he originally found the error Neil wrote: “At this point, I’m giddy. This is obviously going to be big. At this point, I realize I’m on the verge of crossing the line when it comes to the term of the bug bounty program, so I start writing up my report and look forward to seeing what comes of this.”

Since PayPal didn’t see the issue as big, Neil asked the online payment company if he could fully disclose the issue, but it said no! Which is worrying because if the bug is invalid it shouldn’t care!

The good new is that PayPal has since paid for his bug disclosures and PayPal’s chief security officer Michael Barrett has begun working with him to identify further holes.

“For the record, Michael Barrett is a great guy who I have the utmost respect for, and I have had quite a bit of correspondence with him directly after my blog post. Also, since the blog post, per the request of Michael Barrett, I combed back through the paypal QA netblock since I first took a look at it over the summer, and have several new outstanding bug reports that are actively being addressed (a few of which are much more serious than what my post covered),” Smith said.

PayPal’s program is new and it is allowed the occasional foul up, but PayPal need to learn that good communication with the security researchers is key to a successful bug bounty program.

PayPal launches bug bounty program

(LiveHacking.Com) – PayPal has joined the likes of Google and Facebook by launching a program which rewards security researcher for finding vulnerabilities in its website and services. The type of vulnerabilities that PayPal are looking for include: XSS, CSRF/XSRF, SQL injections and Authentication bypass errors.

However one type of vulnerability won’t be considered by PayPal, the Logout CSRF. According to PayPal there are multiple techniques like “cookie forcing” and “cookie bombardment” that can make it futile to defend against this attack, and so the Bug Bounty panel will not consider reports of vulnerabilities that force users to be logged out from PayPal.

“We recognize the important role that security researchers and our user community play in keeping PayPal and our customers secure,” wrote PayPal. “To encourage responsible disclosure, we commit that – if we conclude that a disclosure respects and meets all the guidelines outlined below – we will not bring a private action or refer a matter for public inquiry.”

PayPal hasn’t yet disclosed exactly how much money will be paid for each vulnerability found, but Google pay $500 or more depending on the severity.

DDoS Assault on PayPal Website

Pandalabs blog has reported about a DDoS assault on PayPal website by an anonymous group.

Apparently the site came under a massive distributed denial of service (DDOS) attack by Operation : Payback group. This group is an anonymous, decentralized movement which fights against censorship and copywrong with reference to its website.