Search This Blog

Showing posts with label PayPal Bug bounty. Show all posts

PayPal Fixes 'High-Severity' Password Security Vulnerability


Researcher Alex Birsan, while examining PayPal's main authentication flow– discovered a critical security flaw that hackers could have exploited to access passwords and email addresses of users. He responsibly reported the vulnerability to PayPal on November 18, 2019, via the HackerOne bug bounty platform and received a bug bounty over $15,000 for the issue which was acknowledged by HackerOne after 18 days of its submission and later patched by the company on 11th December 2019. 

The aforementioned bug affected one of the primary and most visited pages amongst all of PayPal's, which is its 'login form' as mentioned by Birsan in the public disclosure of the flaw. 

As Birsan was exploring the main authentication flaw at PayPal, his attention got directed to a javascript file that seemingly contained a cross-site request forgery (CSRF) token along with a session ID. "providing any kind of session data inside a valid javascript file," the expert told in his blog post, "usually allows it to be retrieved by attackers." 

"In what is known as a cross-site script inclusion (XSSI) attack, a malicious web page can use an HTML <script> tag to import a script cross-origin, enabling it to gain access to any data contained within the file." 

While giving their confirmation, PayPal put forth that sensitive, unique tokens were leaked in a JS file employed by the Recaptcha implementation. Sometimes users find themselves in situations where they have to go through a captcha quiz after authentication and according to the inference drawn by PayPal, "the exposed tokens were used in the post request to solve the captcha challenge." The captcha quiz comes into play after multiple failed login attempts, that is normal until you come to terms with the fact that " “the response to the next authentication attempt is a page containing nothing but a Google captcha. If the captcha is solved by the user, an HTTP POST request to /auth/validate captcha is initiated.” Although, in order to successfully obtain the credentials, the hacker would be required to find a way of making targeted users visit an infected website prior to logging into their PayPal account. 

While assuring its users, PayPal said that it “implemented additional controls on the security challenge request to prevent token reuse, which resolved the issue, and no evidence of abuse was found.”

Paypal running out of Money in its Bug Bounty budget

It seems like Paypal is running out of Money in its Bug Bounty budget.  Bug Hunters started to report that the Paypal stopped to give Bounties. 

Recently, a security Researcher Mahadev Subedi discovered two xss vulnerabilities in one of the Paypal domain(paypal-marketing.com.hk) and sent notification to PayPal.

But Paypal responded "we have determined that these bugs are not eligible for payment based on the fact the website is in the process of being decommissioned and will be shut down in the near future."


XSS vulnerability in Paypal-marketing
Mahadev discovered Post-based Cross site scripting in the Two pages of Paypal-Marketing domain : 1. paypal-marketing.com.hk/merchant-enquiries/index.php, 2.paypal-marketing.com.hk/merchant-enquiries/index-zh.php.  POCs for these vulnerabilities can be found here.

Researchers say that Paypal is stopped to give bug bounty because they have paid a lot to low priority bugs.

*Update*:
 Bug Hunter Harsha Vardhan Boppana asked PayPal about this issue and they responded with this mail:

Our second party hosted sites (www.paypal-*.com) are mainly marketing based sites that are not part of the core Paypal domains (*paypal.com) and are managed by hosting vendor companies. They do not retain as long a life cycle as the core domains and can have a more volatile timeline as many are tied to projects and regional initiatives. For your own reference, I have provided you a list of sites currently in process of being decommissioned and therefore not eligible for Bug Bounty processing.


Sites to be decommissioned in coming months:
  • paypal-deutschland.de
  • paypal-danmark.dk
  • paypal-promo.es
  • paypal-europe.com
  • paypal-france.fr
  • paypal-nederland.nl
  • paypal-norge.no
  • paypal-marketing.pl
  • paypal-sverige.se
  • paypal-turkiye.com
  • paypal-business.co.uk
  • paypal-marketing.co.uk
  • paypal-shopping.co.uk
  • paypal-australia.com.au
  • paypal-biz.com
  • paypal-business.com.hk
  • paypal-marketing.com.hk
  • paypal-offers.com.hk
  • paypal-shopasia.com
  • paypal-japan.com
  • paypal-apac.com
  • paypal-plaza.com
  • thepaypalblog.com
  • www.paypal-brasil.com.br
  • paypal-marketing.ca

Blind SQL Injection vulnerability in PayPal Notifications website



An Indian Security Researcher Prakhar Prasad has discovered a Blind SQL Injection vulnerability in Paypal Notifications website(paypal-notify.com) that allowed researcher to access database of Paypal notification system.

" As a part of Paypal Bug Bounty Program, I did a responsible disclosure of the bug to Paypal Security Team " The researcher said in his blog.


SQLMap displays the Database name after injection


The PayPal security team patched the vulnerability immediately, just the next day after the Prasad's vulnerability report due to its high severity.

The Paypal security team patched the vulnerability and rewarded the researcher with $3000 for the SQLi and additional $350 for other less critical bugs on 21st January.

List of Bug Bounty program for PenTesters and Ethical Hackers


"The Best way to improve Network security is hiring hackers" Unfortunately, companies can't hire all best hackers.  So the companies has chosen another best way to improve their system security, "Bug Bounty Programs".

Bug Bounty program is the place where Security researchers and Ethical hackers love to find vulnerabilities in target website or app and get rewarded for their findings.

Here is the list of Bug bounty programs that offers reward for security researchers who find vulnerabilities.

Google:
If you find vulnerability in google , you will get reward as well as your name will be listed in the Google Hall of fame page.

Details about Vulnerability Reward Program: http://www.google.com/about/appsecurity/reward-program/

Hall of fame: http://www.google.com/about/appsecurity/hall-of-fame/

The following table outlines the usual rewards for the anticipated classes of bugs:
Vulnerability type accounts.google.com Other highly sensitive services [1] Normal Google applications Non-integrated acquisitions and other lower priority sites [2]
Remote code execution $20,000 $20,000 $20,000 $5,000
SQL injection or equivalent $10,000 $10,000 $10,000 $5,000
Significant authentication bypass or information leak $10,000 $5,000 $1,337 $500
Typical XSS $3,133.7 $1,337 $500 $100
XSRF, XSSI and other common web flaws $500 - $3,133.7
(depending on impact)
$500 - $1,337
(depending on impact)
$500 $100


Security Bug Bounty from facebook:
Minimum reward is $500 USD.
The reward will be increased for severe or creative bugs
Only 1 bounty per security bug will be awarded

https://www.facebook.com/whitehat/bounty

Mozilla Bug Bounty program:


The Mozilla Security Bug Bounty Program is designed to encourage security research in Mozilla software and to reward those who help us create the safest Internet clients in existence.

The bounty for valid web applications or services related security bugs, the are giving a range starting at $500 (US) for high severity and, in some cases, may pay up to $3000 (US) for extraordinary or critical vulnerabilities. they will also include a Mozilla T-shirt.

http://www.mozilla.org/security/bug-bounty.html

Paypal Bug Bounty Program For Professional Researchers

https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues

Secunia Vulnerability Coordination Reward Program (SVCRP)
SVCRP – a reward program incentive offered by Secunia to researchers who have discovered a vulnerability and would like a third party to confirm their findings and handle the coordination process with the vendor on their behalf: http://secunia.com/community/research/svcrp/

Etsy :
Will pay a minimum of $500 for qualifying vulnerabilities, subject to a few conditions and with qualification determined by the Etsy Security Team.

http://codeascraft.etsy.com/2012/09/11/announcing-the-etsy-security-bug-bounty-program/

Barracuda Networks
www.barracudalabs.com/bugbounty

Companies that mentions researcher name in the site but won't give bounties.

Adobe Systems Incorporated:
Details :http://www.adobe.com/support/security/alertus.html
Security Acknowledgments : http://www.adobe.com/support/security/bulletins/securityacknowledgments.html

Twitter:

https://twitter.com/about/security

EBay:
http://pages.ebay.com/securitycenter/ResearchersAcknowledgement.html

Microsoft
http://technet.microsoft.com/en-us/security/ff852094.aspx
http://technet.microsoft.com/en-us/security/cc308589
http://technet.microsoft.com/en-us/security/cc308575
http://technet.microsoft.com/en-us/security/cc261624
http://www.microsoft.com/security/msrc/default.aspx

Apple
http://support.apple.com/kb/HT1318
https://ssl.apple.com/support/security/

Dropbox
https://www.dropbox.com/security
https://www.dropbox.com/special_thanks

Reddit
http://code.reddit.com/wiki/help/whitehat

Github
https://help.github.com/articles/responsible-disclosure-of-security-vulnerabilities

Ifixit
http://www.ifixit.com/Info/responsible_disclosure

37 Signals
http://37signals.com/security-response

Twilio
http://www.twilio.com/blog/2012/03/reporting-security-vulnerabilities.html

Constant Contact
http://www.constantcontact.com/about-constant-contact/security/report-vulnerability.jsp

Engine Yard
http://www.engineyard.com/legal/responsible-disclosure-policy

Lastpass
https://lastpass.com/support_security.php

RedHat
https://access.redhat.com/knowledge/articles/66234

Acquia
https://www.acquia.com/how-report-security-issue

Zynga
http://company.zynga.com/security/whitehats

Owncloud
http://owncloud.org/security/policy
http://owncloud.org/security/hall-of-fame

Tuenti
http://corporate.tuenti.com/en/dev/hall-of-fame

soundcloud:
http://help.soundcloud.com/customer/portal/articles/439715-responsible-disclosure

Nokia Siemens Networks
http://www.nokiasiemensnetworks.com/about-us/responsible-disclosure


Yandex Bug Bounty:

http://company.yandex.com/security/hall-of-fame.xml

Persistent Cross Site Scripting Vulnerability in the official Paypal ecommerce


The Vulnerability Laboratory Research Team discovered a persistent input validation vulnerability in the official Paypal ecommerce website content management system.

The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). The persistent vulnerability is located in the Artikel pro Seite listing module with the bound vulnerable filterVal1 parameter.

Remote exploitation requires low user inter action or privileged application user account for local exploitation. Successful exploitation of the vulnerability can lead to session hijacking (admin), account steal via persistent web attack or stable (persistent) context manipulation.


Proof of Concept:
=================
The persistent vulnerability can be exploited by remote attackers & local privileged user accounts with low required user inter action.
For demonstration or reproduce ...

Review: [ALL Listing] (index) Rechnungen Verwalten -  Geld Anfordern > Artikel pro Seite (Listing) > filterVal1

var currencyVals = ["EUR", "AUD", "BRL", "GBP", "DKK", "HKD", "ILS", "JPY", "CAD", "MXN", "TWD", "NZD", "NOK", "PHP",
"PLN", "SEK", "CHF", "SGD", "THB", "CZK", "HUF", "USD", ""];
var txt1 = "zwischen";
var txt2 = " und ";
var txtLabel = "Wert 2";
var advFilter = "email";
var dateFilter = "invoice_date";
var filterVal1 = "<meta http-equiv="refresh" content="0;url=javascript:document.cookie=true;"> <META HTTP-EQUIV="Set-Cookie"
Content="USERID=<SCRIPT>document.cookie=true</script>"> <script>document.cookie=true;</script>


PoC:  "><iframe src=http://vuln-lab.com onload=alert("VulnerabilityLab") <

The security risk of the persistent script code inject vulnerability is estimated as medium(+).The vulnerability successfully fixed by Paypal.

A persistent input validation Vulnerability in the official Paypal Plaza


The Vulnerability Laboratory Research Team discovered a persistent input validation Vulnerability in the official Paypal Plaza website application.

The bug allows an attacker (remote) to implement/inject malicious script code on the application side (persistent) of the paypal plaza egreetings web service. The vulnerability is located in the (Step 5 Preview) eGreeting module notification with the bound vulnerable your name and recipient’s name parameters.

The vulnerability can be exploited by remote attackers with low or medium required user interaction and without privileged Customer/Pro/Seller account. Successful exploitation of the vulnerability can lead to session hijacking (customers),account steal via persistent web attacks, persistent phishing or stable (persistent) mail notification context manipulation.

Proof of Concept:
=================

The persistent input validation vulnerability can be exploited by remote attackers with low or medium required user inter action.
For demonstration or reproduce ...

Review:  Notification Mail - eGreetings Card Notification

<html>
<head>
<title>You have received a eCard from your loved one.</title>
<link rel="important stylesheet" href="chrome://messagebody/skin/messageBody.css">
</head>
<body>
<table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><b>Betreff: </b>
You have received a eCard from your loved one.</td></tr><tr><td><b>Von: </b>=?utf-8?B?Ij48aWZyYW1lIHNyYz1hIG9ubG9hZD1hbGVydCgiSEkiKSA8?=
 <admin@vulnerability-lab.com></td></tr><tr><td><b>Datum: </b>14.08.2012 05:15</td></tr></table><table border=0 cellspacing=0
cellpadding=0 width="100%" class="header-part2"><tr><td><b>An: </b>research@vulnerability-lab.com</td></tr></table><br>
Dear "><[PERSISTENT INJECTED SCRIPT CODE OUTSIDE OF GREETINGSCARD ITSELF!]") <,<br/><br/>
Greetings! "><"><[PERSISTENT INJECTED SCRIPT CODE OUTSIDE OF GREETINGSCARD ITSELF!]") < has just sent you a eCard.
<br/><br/>
<a href="https://www.paypal-plaza.com/giftcard/2494/lang/en_au">View your eCard now.</a>
</body>
</html>

The security risk of the persistent input validation vulnerability in the mail notification service filter is estimated as medium. The vulnerability has been fixed by Paypal now.