PayPal Bug Bounty Program – playing fair ?

PayPal+Bug+Bounty+Program+-+playing+fair

Bug Bounty program, where white hat hackers and researchers hunt for serious security vulnerabilities and disclosing them only to the vendor for patch , In return vendors reward them with money.

Various famous website like Facebook , Google , Paypal , Mozilla, Barracuda Networks and more other giving away bug bounties in thousands of Dollars to hackers for finding vulnerabilities.
Most common vulnerabilities reported maximum time in various sites is Cross site scripting and each month hackers submit lots of such vulnerabilities to companies.
In case your report is duplicate, i.e. someone else before you submit the same vulnerability – company will reject you from bug bounty program. But there is no proof or an open Panel where hacker can verify that is someone already reported for same bug before or not. If company reply you – “The bug was already discovered by another researcher” , can you do anything  even after knowing that you are very first person who found it ? I guess, NO !
Something similar happen to me even 17 times this year, when I ( Mohit Kumar ) reported various bugs in Google and Facebook , and always reply was – “We are aware about the issue, so you are not eligible for bounty program“. The Question is, THEN WHY THE HELL YOU ARE STILL VULNERABLE ?
Paypal being the largest eCommerce business offer’s Bounty to its security researcher’s for reporting the vulnerabilities discovered and keeping it confidential. One of my close friend and Security researcher Christy Philip Mathew discovered total 8 vulnerabilities in Paypal this year, out of which 6 ‘The Hacker News‘ reported directly without going for Bug Bounty Program and latest two he submitted to PayPal before this disclosure article.
This time reply was same, “According to the terms and conditions Bounty is awarded to the first person that discovers the previously unknown bug.”
The two vulnerabilities submitted by Christy was Cross site scripting in https://ic.paypal.com and iFrame Vulnerability at https://cms.paypal.com .
XSS was reported at 12th October 2012 and Paypal replied on 16th October 2012 ( 4 days to think that, should we give bounty to this guy ? ) with message “We regret to inform you that your bug submission was not eligible for a bounty for the following reason. The bug was already discovered by another researcher“. On asking, can you proof or provide contact of that researcher who find it before him,  there was not a single reply from Paypal after that.
Where as iFrame was reported on 10th October 2012 and Paypal reply on 7th November 2012 ( 1 month almost to discuss with founder that, if they ran out of budget this year then should we again reject to give bounty ? ).So, again reply was – “The bug was already discovered by another researcher“.
Are bounty programs playing fair with hackers and researchers ? We agree that there are millions of dollar distributed to hackers under bug bounty program, but can anyone prove that they are paying for each and every legitimate submissions ?
Majority of chances that, companies are not paying for each bug to the hunters and replying them – “we know about the issue“. Well here hacker can prove this, Please note that – two vulnerabilities was reported by my friend to Paypal about 34 Days ago from the time of writing this article and even Paypal security team replied that they know the bugs, but still these vulnerabilities are working and Live.
For Readers we are going to disclose the Links below (Because now hacker is not eligible for Bounty and Paypal team is really not serious about security of their own users)
Link for iFrame : Click Here (Open in firefox)
Link for Cross site scripting : Click Here (Open in firefox)
(Update: XSS fixed by PayPal just after posting this disclosure, but iFrame still working)
Screenshots are given below:
iframe
paypal-xss
The Hacker News always motivate hackers to first Disclose vulnerabilities to vendors, because we take SECURITY IN A SERIOUS WAY. But what inspire hackers to sell stuff to underground market or to do PUBLIC DISCLOSURE is irresponsible response of Administrators.
Thousands of sites, programs and servers are today still vulnerable to hackers and there were researchers who contributed to the security of same companies even before the bounty program began.One more thing, I want to mention here that – If we look Bug Bounty White Hat Hackers Lists, you will find 50% of rewarded hackers who even don’t know how to code a website in PHP or ASP ,but they are hacker !  (Note: Rest 50% are much good in knowledge and I respect most of them like My another friend Avram Marius – known for Hunting hundreds of Bugs).

At last I would like to suggest big companies to make a transparent Bug Bounty Panel where hackers can atleast see that, before them someone really submit similar bug and companies should atleast fix/restrict the vulnerable pages as soon as possible.
Note : Today we also report about a Cross Site scripting bug in Apple.com and reported the Apple Security Team, Reply was,”We already aware about the issue, Thank you” – Question is still same, then Why you didn’t take any quick action ? and Even if I was the second person to inform about that, then why the bug is exploitable till now ?
Malcon
clubhack2012
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s