PayPal Bug Bounty - a lesson in not being a fuckup.

PayPal started their bug bounty program on June 21st 2012. When I saw that, I decided that the race was on. A new market place had opened, and I was going to get in on it. I had my first opportunity to take my first shots at finding a flaw on June 29th. On first thought, I assumed that a company like paypal was going to be a well audited, and an air tight group. I was wrong. really wrong.

This recanting will cover the bugs I found and paypal’s response, including timelines. I hope this serves as a ‘what not to do’ guide for others creating bug bounty programs, and to give those who are participating in such programs an idea of what to expect when it is not run well.

June 29th

I started my hunt like I start all of my audits, on shodanhq.com. My first search query: “admin paypal” … not expecting to get any results of value. As you can see, there are still many active hits to this date with that search term.

Once I saw the ‘stageXmbXXX’ in the URL, I realized that for whatever reason, PayPal’s staging netblock was publically accessible. In short: this is going to be a shitshow.

After a few minutes of poking around, I started on one of them to find bugs. The first one: Authorization bypass.

As you can see trying ‘lsmith’ yielded ‘Lori Smith’. This is a good sign. So I started to move on looking for something a bit more substantial.

At first I saw the error and was a bit let down, then I noticed that it actually logged me in as user ‘jsmith’, which was actually ‘Janine Smith’. Progress. But this user didn’t have the correct permission to access this admin panel either. At this point, I wasn’t even sure what this admin panel was to and I wanted to play it safe, as to not violate the terms of the bug bounty program which clearly stated that it was in violation to access live users data.

After some tweaking the syntax, I got this message. This was extremely encouraging. I got an internal IP address to tell me where in this mystical place I was connecting to. But I still wasn’t sure what this even was. So I grabbed the page title and plugged it into Google hoping to get some lead.

The first result didn’t answer any questions, but was a big WTF moment. So I went on to the next results. Legal exhibits from various lawsuits. And I found this, an actual print out directly from this ‘admin’ panel.

At this point, I’m giddy. This is obviously going to be big. (screw your xss ‘bug’ I found the engine running the mother fucking jackpot). At this point, I realize I’m on the verge of crossing the line when it comes to the term of the bug bounty program, so I start writing up my report and look forward to seeing what comes of this.

Report finished up, I went to download PayPal’s PGP key to encrypt it. But problem. The Key that was linked to by their official page was expired. So I had to email them to get a working PGP key. Who announced this program and didn’t have the foresight to not link to a fucking expired PGP key to send them reports with?

July 5th:

I finally got the reply with a valid PGP Key. Sent off my report awaiting a speedy reply as to how serious I thought this was.

July 19th:


I finally got an automated notification that my report was received.

August 7th:

I get another automated update saying that my report had been closed as it was ‘invalid’. I’m pissed off. So I fire back an email asking if this meant it was okay to publicly report what I had found.

August 8th:

I get a response back asking not to do that, as the case was closed because the researcher was not able to recreate it. It was going to be reclassified into a different category. (full disclosure, at this point I had emailed in many other things I had found in that QA netblock, I might get around to covering them in another post).

August 21st:

An actual hand written response to another bug that reassured that this bug was still active and that I would be paid after it was done being fixed, and to not publicly disclosed anything until that time.

August 29th:

I receive a payment notice for ‘xss vulnerability.’ I email them back asking if this was correct. I never received a response.

In closing, You’ve got to actually communicate with your researchers. There is nothing more frustrating than trying to tell someone about their problem, and being stonewalled.

I’ll never waste my time with PayPal again. And you shouldn’t either.

This was posted 7 months ago. It has 15 notes.
  1. milesevenson reblogged this from l8security
  2. infosecblog reblogged this from l8security
  3. ziggythehamster reblogged this from l8security and added:
    He doesn’t mention if...actually fixed, but if they
  4. fistoffeathers reblogged this from l8security
  5. l8security posted this