“We found PayPal vulnerabilities and PayPal punished us for it”

HackerOne appears to be completely broken and I wouldn&#x27;t recommend it to anyone.<p>Disagreements are to be expected on a bug bounty platform, but these days they just stop responding altogether and don&#x27;t pay. It borders on outright fraud.<p>I&#x27;ve been trying to report a Squid RCE (CVE-2020-8450) since October. The Squid maintainers seemed unprepared for dealing with the report as they kept being unresponsive and it took 2 months to merge my patch. Maybe they&#x27;re volunteers, so I can&#x27;t blame them. Reported it to the bug bounty [1] which promises high rewards on January 20th and apart from triaging it, there has been radio silence since despite having invoked HackerOne mediation. I have more Squid memory bugs and I&#x27;d rather rm -rf them than go through this process again.<p>HackerOne used to be decent but this appears to be a structural problem now [2].<p>[1] <a href="https:&#x2F;&#x2F;hackerone.com&#x2F;ibb-squid-cache" rel="nofollow">https:&#x2F;&#x2F;hackerone.com&#x2F;ibb-squid-cache</a> [2] <a href="https:&#x2F;&#x2F;twitter.com&#x2F;DevinStokes&#x2F;status&#x2F;1228014268567547905" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;DevinStokes&#x2F;status&#x2F;1228014268567547905</a>

From PayPal&#x27;s response to a 2FA bypass:<p>&gt; If the attacker has the victim&#x27;s password, they would already be able to gain access to the account via web UI too. As such, the account is already compromised. As such, there does not appear to be any security implications as a direct result of this behavior.<p>Seriously? This means PayPal&#x27;s 2FA is just security theater. I&#x27;d rather they didn&#x27;t offer it at all in this case, at least then I&#x27;d know how insecure my account really was.

People have a weird mental model of how big-company bug bounty programs work. Paypal --- a big company for sure, with a large and talented application security team --- is not interested in stiffing researchers out of bounties. They have literally no incentive to do so. In fact: the people tasked with running the bounty probably have the opposite incentive: the program looks better when it is paying out bounties for strong findings.<p>Here are the vulnerabilities in their report:<p>1. They can suppress a new-computer login challenge (they call this &quot;2FA&quot;, but this is a risk-based login or anti-ATO feature, not 2FA).<p>2. They can register accounts for one phone, then change it to another phone, to &quot;bypass&quot; phone number confirmation.<p>3. There are risk-based controls in Paypal that prevent transactions when anomalies are detected, and some of them can apparently be defeated with brute force.<p>4. They can change names on accounts they control.<p>5. They found what appears to be self-XSS in a support chat system.<p>6. They found what appears to be self-XSS in the security questions challenge inputs.<p>None of these are sev:hi vulnerabilities, let alone &quot;critical&quot;. 2 of them --- #4 and #6 --- are duplicates of other people&#x27;s issues. Self-XSS vulnerabilities are often excluded entirely from bounty programs.<p>For the last 3 hours, the top comment on this thread has been an analysis saying that, because Paypal is PCI-encumbered, and HackerOne reports can function as &quot;assessments&quot; for PCI attestations, Paypal is in danger of losing its PCI status (and the fact that it won&#x27;t is evidence that they are &quot;too big to fail&quot;). To put it gently: that is not how any of this stuff works. In reality, formal bug bounty programs are a firehose of reports suggesting that DKIM configuration quirks are critical vulnerabilities, and nobody in the world would expect any kind of regulatory outcome simply from the way a bounty report does or doesn&#x27;t get handled. It should, I hope, go without saying that nobody is required to run a bounty in the first place, and most companies probably shouldn&#x27;t.<p>The login challenge bypass finding was actually interesting (it would be more interesting if they fully disclosed what it was and what Paypal&#x27;s response was). But these reporters have crudded up their story with standard bug-bounty-reporter hype, and made it very difficult to judge what they found. I&#x27;m inclined not to believe their claim that Paypal acted abusively here (and I am not a fan of Paypal).

This doesn&#x27;t surprise me. I&#x27;m currently trying to get a refund out of PayPal after what looks like a massive flaw in their refund process. I paid for something on eBay and it appears to have been a compromised account. The original auction, feedback history, etc, looked legit. The flow was this:<p>1) I pay for a product on eBay using PayPal, using my creditcard (direct from card, not from any existing PayPal balance).<p>2) Seller marks item as shipped but then 5mins later issues an e-check refund (rather than a refund on my creditcard).<p>3) Seller cancels and deletes the original item on eBay so i can no longer raise a dispute there.<p>4) The e-check refund continues to bounce as clearly the compromised paypal account can&#x27;t pull those funds from the other source.<p>5) The refund being in limbo means my dispute with PayPal gets closed as &quot;a refund was previously issue&quot; (which did, and will continue to, bounce).<p>The important part is 2 - since I paid for this on my card the refund should have gone direct to my card. However, since I paid for this on my creditcard I&#x27;ve raised a chargeback with the issuing bank, which should hopefully make PayPal sit up and put a bit more effort into sorting this out.

PCI DSS requirements specify that companies have 30 days to refute or remediate externally reported issues [1]. If they don’t respond or fix some of these issues, then PayPal will no longer be compliant and all credit card companies will be forced to stop working with them unless they wish to set precedence that PCI-DSS compliance is no longer required to be followed.<p>According to this image [2], they did not respond or refute within 30 days.<p>If PayPal’s PCI-DSS compliance certification isn’t revoked then PCI-DSS is a farce.<p>[1] <a href="https:&#x2F;&#x2F;www.itgovernance.co.uk&#x2F;blog&#x2F;a-guide-to-the-pci-dsss-vulnerability-scanning-and-penetration-testing-requirements" rel="nofollow">https:&#x2F;&#x2F;www.itgovernance.co.uk&#x2F;blog&#x2F;a-guide-to-the-pci-dsss-...</a><p>[2] <a href="https:&#x2F;&#x2F;cybernews.com&#x2F;wp-content&#x2F;uploads&#x2F;2020&#x2F;02&#x2F;paypal-2fa-bypass2.png" rel="nofollow">https:&#x2F;&#x2F;cybernews.com&#x2F;wp-content&#x2F;uploads&#x2F;2020&#x2F;02&#x2F;paypal-2fa-...</a>

If you are receiving your money or reputation from a platform (like HackerOne) then you are going to be underappreciated, undervalued, and treated like an expense that should be minimized.<p>Here is what responsible disclosure looks like in 2020 from somebody that has self-worth:<p>&gt; (Message posted to Hacker One, and emailed to any address you can find, and sent in a letter by mail. Yes mail. Also copied in all those ways to investors of the target.)<p>&gt;<p>&gt; Dear Sir or Madam:<p>&gt;<p>&gt; I have learned about a security issue in PayPal&#x27;s service. This includes being able to login to user accounts without the credentials the system is expecting. [Be vague about how exactly it works, but explain the impact.]<p>&gt;<p>&gt; I am not an employee or contractor of PayPal and I will publish this on my blog at <a href="https:&#x2F;&#x2F;privacylog.blogspot.com" rel="nofollow">https:&#x2F;&#x2F;privacylog.blogspot.com</a> to build on my reputation for finding and improving the security of internet systems.<p>&gt;<p>&gt; This post will publish on 2020-03-09, which is two weeks from today.<p>&gt;<p>&gt; If you are committed to fix this issue before public disclosure, I will be happy to work with you. You can contact me at ...<p>---<p>Key points:<p>- The discussion is about my reputation and values. - I am not demanding any payment (not sure if that is legal). - Set a firm publish date. - This asks them to make a commitment to fix and frames the discussion going forward.<p>And if they do not get back to you, then when you publish you explain it just like you see in newspapers: &quot;the vendor failed to respond and act on this report when I contacted them by email, social media and paper mail with two weeks&#x27; notice&quot;.

Moral of story is obvious: Next time sell the exploits on the dark web and skip the blog post.

&gt; They deemed this issue a Duplicate, and we lost another 5 points.<p>A dupe costs points?! On bugcrowd you GET points for dupes...

I&#x27;ve had plenty of problems with bug bounty platforms and have completely stopped doing them. But most&#x2F;all of these &quot;critical&quot; reports aren&#x27;t critical and some of the behavior of their &quot;researchers&quot; is unprofessional at best. There&#x27;s maybe one legit report here, and that&#x27;s #2.<p>#1 &quot;In order to bypass PayPal’s 2FA, our researcher used the PayPal mobile app and a MITM proxy, like Charles proxy.&quot;<p>So you need to be MITM&#x27;d and have a malicious cert installed? Yeah... not &quot;critical&quot; and out-of-scope for most places.<p>For &quot;#2 Phone verification without OTP&quot;, look at the messages they were sending. Did they not understand H1&#x27;s responses? Repeatedly demanding answers isn&#x27;t a great look. It&#x27;s not surprising it was locked.<p>For #3: it requires stolen creds. A &quot;security&quot; flaw that requires stolen creds and brute forcing isn&#x27;t going to get much traction anywhere.<p>#4 was a dupe<p>#5 is a self XSS, no one accepts these<p>#6 is a stored self XSS and a dupe

There is plenty of blame to go around <i>beyond</i> the management. Management is always going to deflect, deny, or do whatever to save their face. There must be “architect&#x2F;lead engineer” level folks whose primary task is to engineer these stuff well. WTF are they doing?<p>There should be a wall of shame for these (not by person, but by company and group). Next time you get a contact&#x2F;candidate who “lead the sign-on 2fa management” at PayPal, we will know to be extremely cautious.<p>There is no “karma” in tech world. People design the shittiest systems in company 1 and then move on to some other role in company 2 and float around taking credit for more and more stuff someone else did.

Sound like PayPal business as usual. Crappy company with crappy attitudes. It&#x27;s fascinating when people spend their time and effort on good causes instead of joining the dark side just to be shown the middle finger instead.

I have not used Paypal since I had to file a dispute over an item I bought on ebay via Paypal. As a response they snail-mailed me a bunch of screenshots of an internal web-app with a bunch of info for someone else, SSN, CC number, address, etc. Everything I would need to do something bad. I called them and they did not seem to care so I called the guy (I had his number of course) but he never answered or responded to my email.<p>A few months later I got a voicemail from paypal, apparently my original call bubbled up. They asked if I had destroyed the info and to let them know if I had not (I did). Then there was a long pause (I guess they assumed the voicemail was over), and it turned out there were 4-5 people on that call and they then discussed how the call went and whether or not it was sufficient to CYA.<p>I&#x27;ve not used it since, and I hoped they got their act together (sounds like maybe not).

Unfortunately, for many companies, bug bounty programs have been the best invention in silencing security research and CVEs. They promise the world, beat you down on severity &#x2F; payouts, sometimes just claim duplicate or known issue with no way to verify, and then block public disclosure. Very frustrating.

paypalsucks has been a registered domain since 2002 for a good reason.

&gt;When we pushed the HackerOne staff for clarification on these issues, they removed points from our Reputation scores, relegating our profiles to a suspicious, spammy level. This happened even when the issue was eventually patched, although we received no bounty, credit, or even a thanks. Instead, we got our Reputation scores (which start out at 100) negatively impacted, leaving us worse off than if we’d reported nothing at all.<p>That seems like a good way to make sure nobody trusts your business. What say you, hackerone? How can anyone trust this business acting against what ostensibly is its core functions.

This is a bit tangential to the topic, but I find it immensely more interesting that after literal decades of utterly egregious abuses and downright evil behavior by PayPal, people still seem to be surprised by this type of behavior.<p>I find it so fascinating because it is a kind of manifestation of what is clearly a kind of mentality of abused people, the kind of people who usually others see as being trapped in a kind of inability to internalize the abuse being perpetrated against them, and therefore rationalize, excuse, ignore, etc. to simply push away and hide and suppress the clear abuses happening to them. It&#x27;s just as sad as it is interesting to me because of the inherent illogical puzzle it represents, a puzzle that clearly has not yet been solved or for which there exists no easy and clean solution. How do you get someone out of an abusive relationship, be it a personal relationship or something like a formalized cult?<p>We are all abused by PayPal and other tech companies on a constant basis, yet all we do is lament the treatment, while simply just continuing on in the abusive relationship. Someone should tell PayPal, etc. &quot;no, you are not allowed to abuse us anymore. We have human rights and your lies, deceit, abuse, manipulation, gaslighting, monopolization, etc are not going to be tolerated anymore.&quot; But I guess our other abusers in Congress get too much money and free meals out of it to change that.

I know of a really nice vulnerability but I know when to shut up. I almost scammed a legitimate business by mistake. Made sure to pay them with a normal bank transfer instead. Don&#x27;t want to complain in case their account gets closed down or something. Not touching PayPal again.

I&#x27;ve seen several stories about how HackerOne doesn&#x27;t pay out bug bounties when bugs are reported. I, for one, wouldn&#x27;t submit bugs&#x2F;PoC to them, and I would actively, publically, and immediately disclose bugs that affect anybody who is a client of HackerOne.

I say it all the time, there are no incentives or rules regarding cybersecurity standards, or companies have no obligations to follow them. The cost and risks of cybersecurity is pretty high, the public are always the first victims and pay the damage.<p>Cybersecurity always has been a national problem which should be solved by laws.<p>Insurance companies or banks should at least be encouraged to do more.<p>Cybersecurity shouldn&#x27;t be improved with bug bounties.

Are hackerone analysts employees of the company? If so the conclusion drawn sounds like complete bs.<p>If the analysts are just other users, then it definitely sounds like there is a problem.

The author might as well have sold the exploits for the best offer.<p>If a company advertises a bug bounty problem but fails to follow through, such company kinda deserves to be hacked. I mean, you are wasting people&#x27;s time and still getting critical bug reports, probably along with a detailed write-up.<p>Also, we might also discuss about the fact that for a company that moves (and earns) so much money as PayPal, 30 kUSD is probably very little when compared to the possible outcomes of being hacked.

We run a private bug bounty (not via H1 but another platform), classical pentests, dynamic code assessment and a responsible disclosure program.<p>Pentests are ok, they help to scrap plenty of bugs. I am not a great fan otherwise because it is based on a fixed rate.<p>Private bb ended up fantastic. Great bugs, great researchers, reasonably good pay (not Apple grade but we paid some 30k€ irrc). Feedback from researchers was good, including unexpected public praise.<p>Dynamic code reviews are a mixed bag. Usually crap, sometimes hidden gems.<p>Responsible disclosure is a mixed bag too. It is very binary : 20% great from great researchers we usually invite to the private bounty afterwards, and 80% garbage. Oh man, the garbage. Often I do not even understand the submission (not being a native English speaker either).<p>One other problem with public programs are legal implications to pay an anonymous reporter (imagine a US company paying someone affiliated with NC or Iran or Daesh, and that info published in the press)

Given that there seems to be no consequence to getting hacked, I could see companies putting their bug bounties into a filibuster program. They can outsource their liability. I doubt the insurance companies who rate them care if the 3rd party bounty administrator is effective.

I have no experience, but it seems to me that a bug bounty program would be ripe for abuse by employees intercepting reports, feeding them to a partner hacker, and then splitting the bounty between themselves. What stops that from happening?

&gt; Most ethical hackers will remember the 2013 case of Robert Kugler, the 17-year old German student who was shafted out of a huge bounty after he discovered a critical bug on PayPal’s site. Kugler notified PayPal of the vulnerability on May 19, but apparently PayPal told him that because he was under 18, he was ineligible for the Bug Bounty Program.<p>&gt;But according to PayPal, the bug had already been discovered by someone else, but they also admitted that the young hacker was just too young.<p>Bad PR like this shows that bug bounty programs are probably more trouble than they’re worth.

None of this is surprising. I keep the lowest possible amount of money in paypal to cover eBay charges. Too many horror stories.

HackerOne is complete garbage. I spent close to a month digging into Uber and compromised their m.uber.com mobile endpoint; they hemmed and hawed and then awarded the $25K to another HackerOne top performer stating that he had discovered the exact same vulnerability the day before I had submitted the report.<p>What&#x27;s weird about it is that I was using Burp Proxy for everything, and this guy was directly connected to PortSwigger (and Uber was running some promotional for a free three month license for Burp Proxy).<p>HackerOne completely sided with Uber on everything, gave the Portswigger kid $25K and that was that.<p>So, in summary: HackerOne is trash, and Burp Proxy may contain backdoor functionality which is relayed directly back to Portswigger whenever a high value critical vulnerability is discovered with it.

If anyone in this thread is interested in talking about their experiences with HackerOne, please shoot me an email at david.morris@fortune.com.<p>Positive or negative. We can set up a time to talk, or if you&#x27;re more comfortable, just include details in your email.

Off topic, but did anyone else think that the diagonal black line on the Share button on cybernews.com looks like a very thin hair on your screen? Almost feels like it was done on purpose

If a company or government ignores security vulnerability reports this way, then you publicize it,anonymously if necessary, through the press if necessary, to the bad guys if necessary.

My two last reports were closed as duplicate. I got some rep for one, and zero rep for the other. Both were real vulnerabilities. It is strange the reputation reward is not consistent.

Been there, seen that. I find it hard to trust bug bounty platforms and their vulnerabilities as a researcher.

Interesting timing, a pro hackone article on slashdot posted hours after this post about hackerone issues.

None of the bugs is critical, not even medium severity.

I have heard enough. I am done using PayPal.

Hackers of the world, unite!

Hmm, they don&#x27;t look that bad - <a href="https:&#x2F;&#x2F;hackerone.com&#x2F;paypal" rel="nofollow">https:&#x2F;&#x2F;hackerone.com&#x2F;paypal</a><p>Here&#x27;s an example of something that got paid out by paypal - <a href="https:&#x2F;&#x2F;hackerone.com&#x2F;reports&#x2F;739737" rel="nofollow">https:&#x2F;&#x2F;hackerone.com&#x2F;reports&#x2F;739737</a> (15K)<p>Good writeup - <a href="https:&#x2F;&#x2F;medium.com&#x2F;@alex.birsan&#x2F;the-bug-that-exposed-your-paypal-password-539fc2896da9" rel="nofollow">https:&#x2F;&#x2F;medium.com&#x2F;@alex.birsan&#x2F;the-bug-that-exposed-your-pa...</a><p>Interesting history with paypal - <a href="https:&#x2F;&#x2F;hackerone.com&#x2F;alexbirsan" rel="nofollow">https:&#x2F;&#x2F;hackerone.com&#x2F;alexbirsan</a><p>Here&#x27;s how duplicate reports are dealt with - <a href="https:&#x2F;&#x2F;docs.hackerone.com&#x2F;programs&#x2F;duplicate-reports.html" rel="nofollow">https:&#x2F;&#x2F;docs.hackerone.com&#x2F;programs&#x2F;duplicate-reports.html</a><p>I am curious if paypal provided the OP with original reports. They don&#x27;t say. I wonder how much the OP is not saying here, versus how much they understand the platform they are working on.<p>This statement makes me very curious: &quot;Other criticisms have pointed out that Security Analysts can first delay the reported vulnerability, report it themselves on a different bug bounty platform, collect the bounty (without disclosing it of course), and then closing the reported issue as Not Applicable, or perhaps Duplicate.&quot;<p>How can you do that if you&#x27;re providing the original report?<p>Also, the guy is just wrong. You GAIN rep points for duplicates, unless you did something dumb and really amateur like not searching first for already publicly disclosed issues.<p><a href="https:&#x2F;&#x2F;docs.hackerone.com&#x2F;hackers&#x2F;reputation.html#effects-of-report-state-on-reputation" rel="nofollow">https:&#x2F;&#x2F;docs.hackerone.com&#x2F;hackers&#x2F;reputation.html#effects-o...</a>