Full Disclosure mailing list archives
Re: PayPal.com XSS Vulnerability
From: Jeffrey Walton <noloader () gmail com>
Date: Tue, 28 May 2013 09:13:10 -0400
On Tue, May 28, 2013 at 8:26 AM, Dan Kaminsky <dan () doxpara com> wrote:
So there's this pile of law around the world around work and kids; it's a rather recent development that <18 year olds can find problems that multibillion dollar interests are willing to pay bounties for.
I'm probably splitting hairs here, but there appears to be a cultural bias built in. At 17+, Robert would have been of age if he was Japanese under "Kazoe" year-counting.
The laws are all trying to protect you from being made to pick berries or sew t-shirts instead of going to class and playing outside.
The humor was not lost upon me that politicians and lawyers are trying to legislate morality. How ironic! FTW: https://www.google.com/search?q=teenage+science+competition? Jeff
On Fri, May 24, 2013 at 9:38 AM, Robert Kugler <robert.kugler10 () gmail com> wrote:Hello all! I'm Robert Kugler a 17 years old German student who's interested in securing computer systems. I would like to warn you that PayPal.com is vulnerable to a Cross-Site Scripting vulnerability! PayPal Inc. is running a bug bounty program for professional security researchers. https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues XSS vulnerabilities are in scope. So I tried to take part and sent my find to PayPal Site Security. The vulnerability is located in the search function and can be triggered with the following javascript code: ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//"; alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--</SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>https://www.paypal.com/de/cgi-bin/searchscr?cmd=_sitewide-search Screenshot: http://picturepush.com/public/13144090 Unfortunately PayPal disqualified me from receiving any bounty payment because of being 17 years old... PayPal Site Security: "To be eligible for the Bug Bounty Program, you must not: ... Be less than 18 years of age.If PayPal discovers that a researcher does not meet any of the criteria above, PayPal will remove that researcher from the Bug Bounty Program and disqualify them from receiving any bounty payments." I don’t want to allege PayPal a kind of bug bounty cost saving, but it’s not the best idea when you're interested in motivated security researchers...
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- PayPal.com XSS Vulnerability Robert Kugler (May 25)
- Message not available
- Re: PayPal.com XSS Vulnerability Robert Kugler (May 27)
- Message not available
- Re: PayPal.com XSS Vulnerability Jeffrey Walton (May 27)
- Re: PayPal.com XSS Vulnerability Dan Kaminsky (May 28)
- Re: PayPal.com XSS Vulnerability Jeffrey Walton (May 28)
- Re: PayPal.com XSS Vulnerability Daniël W . Crompton (May 28)
- Re: PayPal.com XSS Vulnerability Zachary Cutlip (May 28)
- Re: PayPal.com XSS Vulnerability Kirils Solovjovs (May 28)
- Re: PayPal.com XSS Vulnerability Jeffrey Walton (May 28)
- Re: PayPal.com XSS Vulnerability Terrence (May 28)
- Re: PayPal.com XSS Vulnerability Kirils Solovjovs (May 28)
- <Possible follow-ups>
- Re: PayPal.com XSS Vulnerability Robert Kugler (May 28)
- Re: PayPal.com XSS Vulnerability Robert Kugler (May 29)
- Re: PayPal.com XSS Vulnerability Źmicier Januszkiewicz (May 29)