A lovely information leak on Paypal's front-page is if you attempt to login with a banned account, and any password whatsoever, it gives you a nice error message saying that account is banned (therefore confirming the account exists, info leak #1) and also gives the current account balance (info leak #2).
I know this because my account is banned.
Why's my account banned? Because in 2006 I received an unsolicited phone call from somewhere in Nebraska claiming to be Paypal and informing me they needed to verify my account credentials. I played along with the obvious phishing attempt for a few minutes until they demanded the email and mailing address on my account to "verify I was the account holder". I told the woman on the other end to go fuck herself and hung up. Turns out it was Paypal and they banned me for failing account verification.
Why doesn't PayPal and other services add a Verified Paypal code to a user's account page. And train users to login during these phone calls and ask the caller for the code?
The training itself - if you're being verified, you should do the same of the caller - would have immense societal value.
IIRC PayPal used to be particularly bad about obliviously sending emails and phoning users; asking for contact info, or other info that shouldn't be communicated in such a way.
Anecdotally I've seen similar bad behaviors in a lot of bug bounty programs:
- I haven't submitted to PayPal, but I do have a minor eBay XSS which I reported in May (eBay doesn't have a bounty program, but they do have a responsible disclosure policy: http://pages.ebay.com/securitycenter/Researchers.html). The last time I asked if the issue was patched I was told "Not yet. We'll let you know when this is resolved." This was in June, I haven't re-tested recently.
- When CCBill had a bug bounty program I was able to gain access to their admin panel because it was publicly accessible and linked to via a directory index. That followed a story similar to the one here (I reported it, it was rejected as a duplicate, I followed up about a month later when it still wasn't patched and they quietly patched it and paid me money)
- Yandex recently launched a bug bounty program. So far I've submitted 3 or 4 issues. I've only heard about one of them: it was marked as a duplicate, which is fine, but weeks later the issue still isn't patched.
That being said there are companies like Google, Mozilla, Facebook, Etsy, GitHub, Reddit, and many others which take responsible disclosure of security issues seriously. But it does seem like certain companies need to re-examine how they handle reports from external researchers.
It's interesting you had to work with CCBill, don't know too many other (good) developers who were in that industry. I have so many horror stories with CCBill and Epoch.
I've actually submitted, and was recently paid for a Paypal XSS bug. I had the same issue with the expired PGP key and also received the new key from them manually. The whole process took around 4 months to complete for most of which I was left in the dark. The only notification received came in every 2 weeks to notify me that I was still in queue. Paypal paid me $250 initially and another $500 after the bug was fixed.The initial $250 was actually submitted to the email address on the account I was testing with (which had actually already been "Restricted") as opposed my real PayPal address which they requested and I had provided. I was actually surprised by the amount as at no point was I told how much I would receive (I had originally expected the second payment to also be $250). I appreciate the program but they have a lot to learn, in comparison the same process with Etsy took less than a day for them to replicate/patch. Google even with its size takes roughly 3-4 weeks and communicates fairly quickly throughout the entire process. I will say it was rather nice to be able to cash out the bounty in just a few days after each payment but compared to the rest of the companies with bug bounty programs, PayPal's ranks lowest in my opinion.
Maybe the writer should email the CEO or whoever it was that a week or 2 back was announcing Paypal's brave new era of happiness, joy and customer service.
PayPal pays a lot less than other companies that are serious about their security. A bug like the one in the post could be sold on the black market for thousands and thousands more.
I know this because my account is banned.
Why's my account banned? Because in 2006 I received an unsolicited phone call from somewhere in Nebraska claiming to be Paypal and informing me they needed to verify my account credentials. I played along with the obvious phishing attempt for a few minutes until they demanded the email and mailing address on my account to "verify I was the account holder". I told the woman on the other end to go fuck herself and hung up. Turns out it was Paypal and they banned me for failing account verification.
Fuck Paypal.