PayPal security holes expose customer card data, personal details

Updated: A security researcher has reported finding dangerous website flaws in PayPal that grant attackers access to customer credit card data, account balances and purchase histories.

But a PayPal spokesman has denied that active user data was ever publicly accessible.

The holes were discovered by security researcher Neil Smith from Texas firm Zing Checkout.

One of the holes was publicly disclosed after a failed effort in July to responsibly disclose them under PayPal's bug bounty program.

Smith found that attackers could log into publicly-accessible PayPal administrative sites via authorisation bypass and cross site scripting (XSS) vulnerability.

Since breaking into the site would violate computer crime laws, he ran a Google search on the affected page and discovered what appeared to be a print out of the page titled "PayPal Administrative Tools" (pdf).

That US court document revealed redacted credit card information, IP addresses and a wealth of other personal customer data.

While it was uncertain that the vulnerable staging page contained the same sort of data within the court document -- since Smith could not break into the page — he told SC that similar ensuing vulnerability research made with close cooperation with PayPal's chief security officer Michael Barrett had revealed "shocking amounts" of customer data.

“Have I ever come across very large amounts of customer data while combing through the PayPal QA netblock [credit cards, bank numbers, etc.]? Yes. Lots of it. Shocking amounts of it,” Smith said in an email.

“But that is still being actively addressed by PayPal at this time, so I cannot go into details about it.”

A PayPal spokesman denied Smith had been able to access private information about users.

"He – nor anyone else – ever obtained or was able to obtain personal data directly from PayPal, particularly as the bug submitted pertained to test data in a QA environment," the firm said.

"PayPal takes the security of its users extremely seriously and will continue to be aggressive in securing the data of our customers in all scenarios."

The company initially declined to disclose information on the vulnerabilities.

Bug pay

Smith’s frustration — which led to his disclosure of the one now-closed flaw — stemmed from PayPal’s initial failure to pay him for part of his bug reporting.

He received cash for a XSS vulnerability but not the authorisation hole which the company reportedly said it was unable to reproduce and had dubbed "invalid".

PayPal has since paid for his bug disclosures and Barrett has begun working with him to identify further holes.

Smith said he had the "utmost respect" for Barrett who was assisting with further security reviews.

PayPal said it was working out kinks with its new bug bounty program.

“What I can tell you is that PayPal's bug bounty program has been very successful so far and we've had great feedback from the majority of researchers who are participating,” spokeswoman Jennifer Hawkes said.

“Since this program is fairly new, we are admittedly working out a few kinks. We genuinely appreciate follow-up from researchers like [Smith] to help us make the program better. In [Smith's] case, I believe we have reached a positive conclusion."

In a blog titled "PayPal bug bounty - a lesson in not being a f*ckup", an evidently frustrated Smith said he anticipated PayPal would have tight security.

"I was wrong. Really wrong," Smith said at the time.

He said good communication between security researchers and vendors was key to successful bug bounty programs.

“Communication is paramount. Researchers are often not doing it for the financial reward (you can make more on the black market selling these), but out of a sense of trying to better the landscape around them. Without a personal level of communication, companies often interpret well intended reports as malicious, and researchers lose the drive to participate when they do not see actionable results,” Smith said.

Indeed scores of security researchers have dumped vulnerabilities online out of frustration when poor communication hinders responsible disclosure.

Meanwhile, bug bounties have been growing in popularity. In recent years Samsung, Mozilla, Facebook and Etsy have launched programs offering cash rewards for privately-reported vulnerabilities.

"It seems having a bug bounty is all the rage of the new marketing department," Chris Gatford, director of Sydney based penetrating testing outfit HackLabs said.

Gatford said bug bounty programs were easy marketing exercises but likely difficult to effectively run in practice.

PayPal launched its bug bounty service in July at which time it was busy touting the feature on its blog.

Copyright © SC Magazine, Australia