| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 28 May 2013 09:13:10 -0400 From: Jeffrey Walton <noloader@...il.com> To: Dan Kaminsky <dan@...para.com> Cc: full-disclosure <full-disclosure@...ts.grok.org.uk> Subject: Re: PayPal.com XSS Vulnerability On Tue, May 28, 2013 at 8:26 AM, Dan Kaminsky <dan@...para.com> wrote: > So there's this pile of law around the world around work and kids; it's a > rather recent development that <18 year olds can find problems that > multibillion dollar interests are willing to pay bounties for. I'm probably splitting hairs here, but there appears to be a cultural bias built in. At 17+, Robert would have been of age if he was Japanese under "Kazoe" year-counting. > The laws > are all trying to protect you from being made to pick berries or sew > t-shirts instead of going to class and playing outside. The humor was not lost upon me that politicians and lawyers are trying to legislate morality. How ironic! FTW: https://www.google.com/search?q=teenage+science+competition? Jeff > On Fri, May 24, 2013 at 9:38 AM, Robert Kugler <robert.kugler10@...il.com> > wrote: >> >> Hello all! >> >> I'm Robert Kugler a 17 years old German student who's interested in >> securing computer systems. >> >> I would like to warn you that PayPal.com is vulnerable to a Cross-Site >> Scripting vulnerability! >> PayPal Inc. is running a bug bounty program for professional security >> researchers. >> >> https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues >> >> XSS vulnerabilities are in scope. So I tried to take part and sent my find >> to PayPal Site Security. >> >> The vulnerability is located in the search function and can be triggered >> with the following javascript code: >> >> >> ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//"; >> >> alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-- >> ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> >> >> https://www.paypal.com/de/cgi-bin/searchscr?cmd=_sitewide-search >> >> Screenshot: http://picturepush.com/public/13144090 >> >> Unfortunately PayPal disqualified me from receiving any bounty payment >> because of being 17 years old... >> >> PayPal Site Security: >> >> "To be eligible for the Bug Bounty Program, you must not: >> ... Be less than 18 years of age.If PayPal discovers that a researcher >> does not meet any of the criteria above, PayPal will remove that researcher >> from the Bug Bounty Program and disqualify them from receiving any bounty >> payments." >> >> I don’t want to allege PayPal a kind of bug bounty cost saving, but it’s >> not the best idea when you're interested in motivated security >> researchers... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists