lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 28 May 2013 09:13:10 -0400
From: Jeffrey Walton <noloader@...il.com>
To: Dan Kaminsky <dan@...para.com>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: PayPal.com XSS Vulnerability

On Tue, May 28, 2013 at 8:26 AM, Dan Kaminsky <dan@...para.com> wrote:
>    So there's this pile of law around the world around work and kids; it's a
> rather recent development that <18 year olds can find problems that
> multibillion dollar interests are willing to pay bounties for.
I'm probably splitting hairs here, but there appears to be a cultural
bias built in. At 17+, Robert would have been of age if he was
Japanese under "Kazoe" year-counting.

> The laws
> are all trying to protect you from being made to pick berries or sew
> t-shirts instead of going to class and playing outside.
The humor was not lost upon me that politicians and lawyers are trying
to legislate morality. How ironic!

FTW: https://www.google.com/search?q=teenage+science+competition?

Jeff

> On Fri, May 24, 2013 at 9:38 AM, Robert Kugler <robert.kugler10@...il.com>
> wrote:
>>
>> Hello all!
>>
>> I'm Robert Kugler a 17 years old German student who's interested in
>> securing computer systems.
>>
>> I would like to warn you that PayPal.com is vulnerable to a Cross-Site
>> Scripting vulnerability!
>> PayPal Inc. is running a bug bounty program for professional security
>> researchers.
>>
>> https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues
>>
>> XSS vulnerabilities are in scope. So I tried to take part and sent my find
>> to PayPal Site Security.
>>
>> The vulnerability is located in the search function and can be triggered
>> with the following javascript code:
>>
>>
>> ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
>>
>> alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
>> ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
>>
>> https://www.paypal.com/de/cgi-bin/searchscr?cmd=_sitewide-search
>>
>> Screenshot: http://picturepush.com/public/13144090
>>
>> Unfortunately PayPal disqualified me from receiving any bounty payment
>> because of being 17 years old...
>>
>> PayPal Site Security:
>>
>> "To be eligible for the Bug Bounty Program, you must not:
>> ... Be less than 18 years of age.If PayPal discovers that a researcher
>> does not meet any of the criteria above, PayPal will remove that researcher
>> from the Bug Bounty Program and disqualify them from receiving any bounty
>> payments."
>>
>> I don’t want to allege PayPal a kind of bug bounty cost saving, but it’s
>> not the best idea when you're interested in motivated security
>> researchers...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists