PayPal security holes expose customer card data, personal details

Powered by SC Magazine
 

Company denies data was accessible.

Updated: A security researcher has reported finding dangerous website flaws in PayPal that grant attackers access to customer credit card data, account balances and purchase histories.

But a PayPal spokesman has denied that active user data was ever publicly accessible.

The holes were discovered by security researcher Neil Smith from Texas firm Zing Checkout.

One of the holes was publicly disclosed after a failed effort in July to responsibly disclose them under PayPal's bug bounty program.

Smith found that attackers could log into publicly-accessible PayPal administrative sites via authorisation bypass and cross site scripting (XSS) vulnerability.

PayPal admin page

Since breaking into the site would violate computer crime laws, he ran a Google search on the affected page and discovered what appeared to be a print out of the page titled "PayPal Administrative Tools" (pdf).

That US court document revealed redacted credit card information, IP addresses and a wealth of other personal customer data.

While it was uncertain that the vulnerable staging page contained the same sort of data within the court document -- since Smith could not break into the page — he told SC that similar ensuing vulnerability research made with close cooperation with PayPal's chief security officer Michael Barrett had revealed "shocking amounts" of customer data.

“Have I ever come across very large amounts of customer data while combing through the PayPal QA netblock [credit cards, bank numbers, etc.]? Yes. Lots of it. Shocking amounts of it,” Smith said in an email.

“But that is still being actively addressed by PayPal at this time, so I cannot go into details about it.”

A PayPal spokesman denied Smith had been able to access private information about users.

"He – nor anyone else – ever obtained or was able to obtain personal data directly from PayPal, particularly as the bug submitted pertained to test data in a QA environment," the firm said.

"PayPal takes the security of its users extremely seriously and will continue to be aggressive in securing the data of our customers in all scenarios."

The company initially declined to disclose information on the vulnerabilities.

Bug pay

Smith’s frustration — which led to his disclosure of the one now-closed flaw — stemmed from PayPal’s initial failure to pay him for part of his bug reporting.

He received cash for a XSS vulnerability but not the authorisation hole which the company reportedly said it was unable to reproduce and had dubbed "invalid".

PayPal has since paid for his bug disclosures and Barrett has begun working with him to identify further holes.

Smith said he had the "utmost respect" for Barrett who was assisting with further security reviews.

“For the record, Michael Barrett is a great guy who I have the utmost respect for, and I have had quite a bit of correspondence with him directly after my blog post. Also, since the blog post, per the request of Michael Barrett, I combed back through the paypal QA netblock since I first took a look at it over the summer, and have several new outstanding bug reports that are actively being addressed (a few of which are much more serious than what my post covered),” Smith said.

PayPal said it was working out kinks with its new bug bounty program.

“What I can tell you is that PayPal's bug bounty program has been very successful so far and we've had great feedback from the majority of researchers who are participating,” spokeswoman Jennifer Hawkes said.

“Since this program is fairly new, we are admittedly working out a few kinks. We genuinely appreciate follow-up from researchers like [Smith] to help us make the program better. In [Smith's] case, I believe we have reached a positive conclusion."

In a blog titled "PayPal bug bounty - a lesson in not being a f*ckup", an evidently frustrated Smith said he anticipated PayPal would have tight security.

"I was wrong. Really wrong," Smith said at the time.

He said good communication between security researchers and vendors was key to successful bug bounty programs.

“Communication is paramount. Researchers are often not doing it for the financial reward (you can make more on the black market selling these), but out of a sense of trying to better the landscape around them. Without a personal level of communication, companies often interpret well intended reports as malicious, and researchers lose the drive to participate when they do not see actionable results,” Smith said.

Indeed scores of security researchers have dumped vulnerabilities online out of frustration when poor communication hinders responsible disclosure.

Meanwhile, bug bounties have been growing in popularity. In recent years Samsung, Mozilla, Facebook and Etsy have launched programs offering cash rewards for privately-reported vulnerabilities.

"It seems having a bug bounty is all the rage of the new marketing department," Chris Gatford, director of Sydney based penetrating testing outfit HackLabs said.

Gatford said bug bounty programs were easy marketing exercises but likely difficult to effectively run in practice.

PayPal launched its bug bounty service in July at which time it was busy touting the feature on its blog.

Copyright © SC Magazine, Australia


PayPal security holes expose customer card data, personal details
 
 
 
Top Stories
Frugality as a service: the Amazon story
Behind the scenes, Amazon Web Services is one lean machine.
 
Negotiating with the cloud email megavendors
[Blog post] Lessons from Woolworths’ mammoth migration.
 
Qld govt to move up to 149k staff onto Office 365
Australia's largest deployment, outside of the universities.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...

Latest VideosSee all videos »

The great data centre opportunity on Australia's doorstep
The great data centre opportunity on Australia's doorstep
Scott Noteboom, CEO of LitBit speaking at The Australian Data Centre Strategy Summit 2014 in the Gold Coast, Queensland, Australia. http://bit.ly/1qpxVfV Scott Noteboom is a data centre engineer who led builds for Apple and Yahoo in the earliest days of the cloud, and who now eyes Asia as the next big opportunity. Read more: http://www.itnews.com.au/News/372482,how-do-we-serve-three-billion-new-internet-users.aspx#ixzz2yNLmMG5C
Interview: Karl Maftoum, CIO, ACMA
Interview: Karl Maftoum, CIO, ACMA
To COTS or not to COTS? iTnews asks Karl Maftoum, CIO of the ACMA, at the CIO Strategy Summit.
Susan Sly: What is the Role of the CIO?
Susan Sly: What is the Role of the CIO?
AEMO chief information officer Susan Sly calls for more collaboration among Australia's technology leaders at the CIO Strategy Summit.
Meet the 2014 Finance CIO of the Year
Meet the 2014 Finance CIO of the Year
Credit Union Australia's David Gee awarded Finance CIO of the Year at the iTnews Benchmark Awards.
Meet the 2014 Retail CIO of the Year
Meet the 2014 Retail CIO of the Year
Damon Rees named Retail CIO of the Year at the iTnews Benchmark Awards for his work at Woolworths.
Robyn Elliott named the 2014 Utilities CIO of the Year
Robyn Elliott named the 2014 Utilities CIO of the Year
Acting Foxtel CIO David Marks accepts an iTnews Benchmark Award on behalf of Robyn Elliott.
Meet the 2014 Industrial CIO of the Year
Meet the 2014 Industrial CIO of the Year
Sanjay Mehta named Industrial CIO of the Year at the iTnews Benchmark Awards for his work at ConocoPhillips.
Meet the 2014 Healthcare CIO of the Year
Meet the 2014 Healthcare CIO of the Year
Greg Wells named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at NSW Health.
Meet the 2014 Education CIO of the Year
Meet the 2014 Education CIO of the Year
William Confalonieri named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at Deakin University.
Meet the 2014 Government CIO of the Year
Meet the 2014 Government CIO of the Year
David Johnson named Government CIO of the Year at the iTnews Benchmark Awards for his work at the Queensland Police Service.
Q and A: Coalition Broadband Policy
Q and A: Coalition Broadband Policy
Malcolm Turnbull and Tony Abbott discuss the Coalition's broadband policy with the press.
AFP scalps hacker 'leader' inside Australia's IT ranks.
AFP scalps hacker 'leader' inside Australia's IT ranks.
The Australian Federal Police have arrested a Sydney-based IT security professional for hacking a government website.
NBN Petition Delivered To Turnbull's Office
NBN Petition Delivered To Turnbull's Office
UTS CIO: IT teams of the future
UTS CIO: IT teams of the future
UTS CIO Chrissy Burns talks data.
New UTS Building: the IT within
New UTS Building: the IT within
The IT behind tomorrow's universities.
iTnews' NBN Panel
iTnews' NBN Panel
Is your enterprise NBN-ready?
Introducing iTnews Labs
Introducing iTnews Labs
See a timelapse of the iTnews labs being unboxed, set up and switched on! iTnews will produce independent testing of the latest enterprise software to hit the market after installing a purpose-built test lab in Sydney. Watch the installation of two DL380p servers, two HP StoreVirtual 4330 storage arrays and two HP ProCurve 2920 switches.
The True Cost of BYOD
The True Cost of BYOD
iTnews' Brett Winterford gives attendees of the first 'Touch Tomorrow' event in Brisbane a brief look at his research into enterprise mobility. What are the use cases and how can they be quantified? What price should you expect to pay for securing mobile access to corporate applications? What's coming around the corner?
Ghost clouds
Ghost clouds
ACMA chair Chris Chapman says there is uncertainty over whether certain classes of cloud service providers are caught by regulations.
Was the Snowden leak inevitable?
Was the Snowden leak inevitable?
Privacy experts David Vaile (UNSW Cyberspace Law and Policy Centre) and Craig Scroggie (CEO, NextDC) claim they were not surprised by the Snowden leaks about the NSA's PRISM program.
Latest Comments
Polls
Which bank is most likely to suffer an RBS-style meltdown?





   |   View results
ANZ
  20%
 
Bankwest
  9%
 
CommBank
  11%
 
National Australia Bank
  17%
 
Suncorp
  24%
 
Westpac
  19%
TOTAL VOTES: 1499

Vote