AfterDawn: News

PayPal pays $10,000 to discoverer of massive security flaw (+video)

An Egyptian security researcher has scooped the top payout for security bugs from PayPal for discovering a massive security flaw that exposed the accounts of over 150 million users.

Yasser Ali was able to get around PayPal's CSRF Prevention System and capture an authentication token that could be used to effect a customer's PayPal account. You could add, remove or confirm e-mail addresses, add fully privileged users to a business account, change security questions, billing info, shipping info, payment methods and so on.



He disclosed the bug to PayPal and received the firms top award incentive for bug hunters, pocketing $10,000 for his work.

He also detailed how he beat PayPal's security systems on his blog, and provided this proof of concept video.

Via: Spohos (Naked Security)

Written by: James Delahunty @ 7 Dec 2014 7:57

• Previous article

• Beware offers of free PSN and Steam codes

• Next article

• Jolla Tablet reaches stretch goal of $1.5 million and adds 128GB microSDHC support

• 4 comments

• Dragon3000

  bloody hell! just shut the internet down for good already!
  

  ZX Spectrum 128K

  8.12.2014 08:49 #1

• evelyn.tam

  Hi James, Evelyn here with PayPal. Any chance you can share your email address?

  8.12.2014 14:30 #2

• hearme0

  Thank God for no-life losers that hack this crap morning, noon and night. To have honestly caught this, you'd have to eat, breathe, see, and think ones and zeros and likely don't have much of a life outside of the keyboard and mouse.
  
  I am grateful though.

  8.12.2014 14:46 #3

• alotanor

  they should've added another '0' onto that amount.
  

  9.12.2014 14:48 #4