Feeds

PayPal denies stiffing bug-hunting teen on bounty

Someone else got there first, claims firm

High performance access to file storage

PayPal has denied that it refused a teenage security researcher a reward for finding a potentially nasty bug on the basis that he was too young. The payments processing firm said that while it had denied the 17-year-old a reward, it was because another researcher had already reported the flaw.

Robert Kugler, 17, found a cross-site scripting flaw on the payment processing firm's website before claiming a reward under PayPal's bug bounty programme.

Initially, Kugler claimed PayPal had told him in an email that he was ineligible for a reward because he was too young.

The terms and conditions for the reward scheme do not mention anything about the bounty being restricted to those over 18.

The German student recently published details of the bug, along with what he claimed were extracts from his email correspondence with PayPal, on a full disclosure mailing list, provoking damaging headlines along the lines of "PayPal Stiffs Teen Who Found Website Bug".

In response to queries from El Reg, PayPal said Kugler had been denied the reward not because he was too young, but because someone else had previously reported the same flaw, directly contradicting Kugler's account.

The eBay payments subsidiary said it was resolving the vulnerability, stressing that there was no evidence that it had been abused in any attacks to date and therefore no need for undue concern.

While we always appreciate contributions by the security community to PayPal's Bug Bounty Program, we reward participants when they are the first to report valid security vulnerabilities.

In this specific situation, the cross-site scripting vulnerability was already discovered by another security researcher, so [the bug] would not have been eligible for payment, regardless of age [of the researcher], as we must honour the original researcher that provided the vulnerability.

We appreciate the security researcher's efforts and this situation illustrates that PayPal can do more to recognise younger security researchers around the world. As a first step, we are sending an official letter of recognition for the researcher's contribution and we are exploring other ways to recognise younger security researchers when they do discover a vulnerability and responsibly disclose that discovery.

PayPal's conditions do state that its bounty is only awarded to the first person that discovers the previously unknown bug. El Reg asked PayPal which researcher was first to report this bug, as well as how many bug bounties it had paid out. It declined to answer both questions, so we're none the wiser.

"PayPal does not share the details on the researchers or the number of bugs found," a spokesman said.

Kugler said he is less than impressed with PayPal's handling of his vulnerability report and how it runs its bug bounty programme more generally.

"It's a strange behaviour from PayPal," Kugler told El Reg. He claimed: "In my email correspondence with PayPal, no one ever mentioned someone else found the bug! They only said: 'You're disqualified because of being 17 years old'."

He went on to claim: "After all that media attention they introduced: 'No, we disqualified his bug because someone else already found it, not for being 17 years old'. Maybe it's just me, but I think they just want to avoid the payment. Two security researchers (one from China and one from India) found the same bug and always the same reply: Someone else found it, we are sorry!"

XSS marks the spot

Cross-site scripting (XSS) vulnerabilities arise from web application development mistakes. Attackers can exploit XSS vulns to inject scripts or pop-ups from untrusted sites that would appear to surfers as originating from the site they are visiting. XSS flaws are a common vuln, most regularly abused in phishing attacks.

The cross-site scripting flaw in the search function on PayPal's German site which Kugler (and perhaps others) discovered is a bit more serious, however, because it is capable of being abused to access credentials.

"An XSS attack occurs when a script drawn from another website is allowed to run but should not," Kugler explained. "The type of flaw can be used to steal information or potentially cause other malicious code to run."

The PayPal XSS bug was fixed on Wednesday, according to Kugler.

A bug's life

Bug bounty programmes have become commonplace across the industry over recent years. The schemes offer an incentive for researchers to report flaws to vendors, rather than selling details of them on vulnerability marketplaces to whoever stumps up enough cash.

Google, in particular, is an expert at attracting media attention to its own bug bounty programme. PayPal, by contrast, is reluctant to talk about its own vulnerability reward scheme, perhaps because the nature of its payment-handling business makes it reluctant to get drawn into a any kind of discussion about the security of its website.

The only known recipient of a bug bounty from PayPal is Germany-based security research outfit Vulnerability Laboratory, which earned a $3,000 reward back in January after discovering and reporting a critical bug to PayPal five months prior.

The flaw, a SQL injection vulnerability in the official PayPal GP+ Web Application Service, created a potential mechanism for hackers to inject commands through the compromised web app into the backend databases, potentially tricking them into coughing up sensitive data in the process.

Although he struck out when he reported a problem to PayPal, Kugler has successfully collaborated with other vendors.

The German teen has received a $3,000 award from Mozilla for finding a privilege escalation bug in Firefox, and another $1,500 for locating a separate flaw in Mozilla Updater. He also received a hat tip for security research from Microsoft, getting a shout out on its list of security researchers - though no financial reward for his efforts as yet.

"IT security is an interesting topic and I like to test things," Kugler told El Reg. "Sometimes things work differently under special circumstances, it's exciting to study this behaviour." ®

* Additional reporting by Iain Thomson

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.