[nexa] We found 6 critical PayPal vulnerabilities – and PayPal punished us for it

Giacomo Tesio giacomo at tesio.it
Sun Mar 1 21:36:53 CET 2020

Scusate ho dimenticato il link.



On Friday, 28 February 2020, Davide Carboni <dcarboni at gmail.com> wrote:
> Qual è la fonte di questo interessante articolo?
> On Wed, 26 Feb 2020, 3:49 pm Giacomo Tesio, <giacomo at tesio.it> wrote:
>> When our analysts discovered six vulnerabilities in PayPal – ranging
>> from dangerous exploits that can allow anyone to bypass their
>> two-factor authentication (2FA), to being able to send malicious code
>> through their SmartChat system – we were met with non-stop delays,
>> unresponsive staff, and lack of appreciation. Below, we go over each
>> vulnerability in detail and why we believe they’re so dangerous.
>> When we pushed the HackerOne staff for clarification on these issues,
>> they removed points from our Reputation scores, relegating our
>> profiles to a suspicious, spammy level. This happened even when the
>> issue was eventually patched, although we received no bounty, credit,
>> or even a thanks. Instead, we got our Reputation scores (which start
>> out at 100) negatively impacted, leaving us worse off than if we’d
>> reported nothing at all.
>> [...]
>> # PayPal’s reputation for dishonesty
>> PayPal has been on the receiving end of criticism for not honoring its
>> own bug bounty program.
>> Most ethical hackers will remember the 2013 case of Robert Kugler, the
>> 17-year old German student who was shafted out of a huge bounty after
>> he discovered a critical bug on PayPal’s site. Kugler notified PayPal
>> of the vulnerability on May 19, but apparently PayPal told him that
>> because he was under 18, he was ineligible for the Bug Bounty Program.
>> But according to PayPal, the bug had already been discovered by
>> someone else, but they also admitted that the young hacker was just
>> too young.
>> Another researcher earlier discovered that attempting to communicate
>> serious vulnerabilities in PayPal’s software led to long delays. At
>> the end, and frustrated, the researcher promises to never waste his
>> time with PayPal again.
>> There’s also the case of another teenager, Joshua Rogers, also 17 at
>> the time, who said that he was able to easily bypass PayPal’s 2FA. He
>> went on to state, however, that PayPal didn’t respond after multiple
>> attempts at communicating the issue with them.
>> PayPal acknowledged and downplayed the vulnerability, later patching
>> it, without offering any thanks to Rogers.
>> # The big problem with HackerOne
>> HackerOne is often hailed as a godsend for ethical hackers, allowing
>> companies to get novel ways to patch up their tools, and allowing
>> hackers to get paid for finding those vulnerabilities.
>> It’s certainly the most popular, especially since big names like
>> PayPal work exclusively with the platform. There have been issues with
>> HackerOne’s response, including the huge scandal involving Valve, when
>> a researcher was banned from HackerOne after trying to report a Steam
>> zero-day.
>> However, its Triage system, which is often seen as an innovation,
>> actually has a serious problem. The way that HackerOne’s triage system
>> works is simple: instead of bothering the vendor (HackerOne’s
>> customer) with each reported vulnerability, they’ve set up a system
>> where HackerOne Security Analysts will quickly check and categorize
>> each reported issue and escalate or close the issues as needed. This
>> is similar to the triage system in hospitals.
>> These Security Analysts are able to identify the problem, try to
>> replicate it, and communicate with the vendor to work on a fix.
>> However, there’s one big flaw here: these Security Analysts are also
>> active Bug Bounty Hackers.
>> Essentially, these Security Analysts get first dibs on reported
>> vulnerabilities. They have full discretion on the type of severity of
>> the issue, and they have the power to escalate, delay or close the
>> issue.
>> That presents a huge opportunity for them, if they act in bad faith.
>> Other criticisms have pointed out that Security Analysts can first
>> delay the reported vulnerability, report it themselves on a different
>> bug bounty platform, collect the bounty (without disclosing it of
>> course), and then closing the reported issue as Not Applicable, or
>> perhaps Duplicate.
>> As such, the system is ripe for abuse, especially since Security
>> Analysts on HackerOne use generic usernames, meaning that there’s no
>> real way of knowing what they are doing on other bug bounty platforms.
>> ______
>> Sono sempre a disagio di fronte alla locuzione "hacker etico".
>> L'hacking è sempre una azione etica: un'etica basata sulla curiosità,
>> volta alla ricerca di conoscenza.
>> Il fatto che si qualifichi come "etica" la collaborazione con i
>> responsabili di una falla di sicurezza nel ritardare la diffusione
>> dell'informazione è in parte sintomo ed in parte causa del pessimo
>> livello di sicurezza nell'informatica.
>> Se ogni falla di sicurezza venisse subito anonimamente diffusa sui
>> mass media, dopo un paio di fallimenti aziendali, avremmo software
>> molto più sicuro.
>> Windows sarebbe il sistema operativo più sicuro del pianeta.
>> (o Microsoft non esisterebbe più...)
>> Invece, abbiamo HackerOne.
>> Giacomo
>> _______________________________________________
>> nexa mailing list
>> nexa at server-nexa.polito.it
>> https://server-nexa.polito.it/cgi-bin/mailman/listinfo/nexa
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://server-nexa.polito.it/pipermail/nexa/attachments/20200301/6b9ab438/attachment.html>

More information about the nexa mailing list