Tech has always been filled with teenagers discovering things, now more than ever. Most bounty handlers treat them as valued contributors, Paypal — as usual — shits all over everything.
The Federal Labor Standards Act has provisions about anyone under the age of 18 working for companies whose revenue is greater than $500,000. It sucks to be a kid for a lot of reasons.
This kid just blamed Paypal for one of our country's many idiotic federal laws.
This choice should be considered a career limiting decision by any hiring manager.
I find the meaning and knowledge of laws to be inaccessible overall as a 18+ citizen. I'm not American, but who for instance knew that there were "provisions" under the Federal Labor Standards Act?
It makes me angry, but the law here in the US is that "ignorance is not a defense." Oh... you didn't know our several million laws when you broke one? Too bad, they say. Lawyers counter that if the law was simpler, they wouldn't have jobs.
Still very poorly handled. Should've gone something like:
1. "Hey, that's awesome that you found that, thanks!"
2. "For very good reasons (a), (b) and (c) we can't actually pay you, that really sucks :("
3. "But hey we like your style, so how about we fly you over for an internship when you've finished school / investigate if Germany has different rules / look at scholorship options and a great reference / [one of a million other things you could do to help a kid out"
IANAL.. but I can't see how asking a parent to represent him would relieve PayPal of complying with labor standards for minors... he's still the one doing the work.. and advising him to have a parent represent him is just written proof that they knew.
"This choice should be considered a career limiting decision by any hiring manager."
Hopefully not forever. When I was young and stupid and the net was a much simpler place I casually fully disclosed the problem with posting your Cisco configs with "encrypted" passwords to Usenet:
I would not do something like this today, especially not in such a full-of-myself douchey manner.
Sadly a lot of postings to the internet are basically "forever" at this point and combined with the insistence of so many companies that real names be used, we're going to have generations of younger folks who say or do something stupid (because they are young and stupid) that they can never get rid of. And that's unfortunate.
I completely agree. I also think that this kind of post on full-disclosure should be used as an example of what-not-to-do.
I've always treated vuln reward programs as resume enhancers. If you submit a bug and get it fixed, you get to show two incredibly valuable and rare skills in the infosec community:
1) technical chops
2) interpersonal skill
Disclosers who have the patience to endure some of the bullshit that comes up in these programs are going to be successful in the security industry. The hardest problems in infosec are not technical. They are cultural. Publicly flaming a vuln reward program because they didn't pay you for what you see as an arbitrary reason is exactly the kind of reason execs do not want to do vuln reward programs. Someone had to fight to get that program set up at paypal. It had to be within the laws of the country that governs the company. This kid just through a temper tantrum in public and signed his name on the email. Any advocates he had at paypal are probably re-evaluating their support of him. So short sighted.
just an FYI, you can (even if you don't have the email anymore) get old posts removed from google groups, you have to jump through a bunch of hoops, but it isn't too hard to do. Just read around. I had to cover for 18 year old me posting god knows what on usenets several years ago. I did this when google first bought deja news however, you can likely get them to remove it.
who knew people were saving stuff back in 94-95. hell anyway 18 year old me didn't care, but luckily I can cover for him.
The Fair Labor Standards Act places no limitations on the work of 16 and 17 year olds in non-hazardous jobs, and in any case does not concern itself with non-employment relationships like the one Paypal would have had with this 17-year-old.
There is a reason that you read about minors running their own businesses all the time. The laws are targeted at employment that is exploitative or interferes with a child's education. Not at things like this.
Or, pay him via his parents. Somehow we manage to have child actors get paid by movie studios; there must be a way for them to be able to pay children bug bounties, if they actually wanted to.
How do those apply in Germany? Do all subsidiaries in all countries have to follow FLSA? I assume Paypal's German subsidiary is only responsible for following German employment law.
If the feds were to audit the situation you are describing, I would wager they'd come after Google.
Google has a lot more freedom and track record for asking forgiveness instead of permission than Paypal (i.e. wifi sniffing in google cars). They are not a payment processing company.
This stuff is complicated. Never attribute to malice that which is adequately explained by stupidity.
Why would they come after google? A parent can make nearly any transactions for the child. And 17 year olds can take jobs, so even giving him a "job" to pay him trough that probably only would interest the tax guys ("Why are you paying some guy in germany 10k an hour" "Because we don't want to wait to long to transfer all the money" probably is problematic).
If it is a problem with US law, both google and paypal have companies in the EU that could handle that.
As an example, an attacker can craft a script that would run within the paypal.com domain name. The script can therefore potentially grab the user paypal session (if the user is already logged in). Otherwise, it can show any information the attacker wants, and to the user this looks like a real trustworthy paypal page. It is running on the paypal.com domain, and the browser shows it's secured and trusted. So for example, it can display the login page and asking to confirm the password, or keylog anything the user presses etc.
This link can be embedded on a different site, or sent via email, and because the link itself points to paypal.com - it is much more likely to be trusted by unsuspecting users.
> This link can be embedded on a different site, or sent via email, and because the link itself points to paypal.com - it is much more likely to be trusted by unsuspecting users.
Doesn't seem like that is the case here. The bug is in the search form, which is POST only. It wouldn't be enough to share the link to the search page, you'd need something that does the search on your behalf.
That is not what I am disputing. If there is a bug in paypal's search via POST only, you cannot link to paypal's search. You would need to link to a page you control that performs the POST automatically. If you send a link to the search that only takes parameters via POST, paypal will never receive the payload.
if the paypal search only accept POSTs then you're absolutely right. It won't be as easy as sharing a link. If it happens to also accept GET requests, then it would. I didn't test this.
Note that _if_ the form is already CSRF-protected, then attackers won't easily be able to POST from a different domain either, which would drastically reduce the attack surface.
I didn't test this, but I'm not sure the form is fully CSRF protected though. I tried to explain the potential exploit from this discovered vulnerability. Perhaps I should have stated more clearly that this is more a general comment, and not specific to this particular case.
Although the user has to place in the payload himself to exploit this vulnerability, there are a few ways the attacker can use this. The most obvious and simplest to do is to create a form that does the search for the user, and thus fills out the form for the user, exploiting this vulnerability. You could have the form submit automatically via javascript on page load, requiring no user interaction.
Once the form has been submitted on behalf of the user, you have javascript execution in the context of paypal.com, and can do pretty much anything. Send the contents of your account to another address, shut down the account, exfiltrate past transaction data, etc.
I could set up a redirect to POST data to that search form and steal his cookies/replace the page with a login form/all the fun you get running arbitrary javascript.
If you can redirect someone to that page you could redirect them to any page...
But they want to go to PayPal, you send them there, and you pass along some post data to hijack their session.
Can you clarify exactly when you reported this XSS as a personal friend of mine reported it (exact same bug with a slightly different XSS vector) and was told it had already been found a reasonable while back.
(From memory, he also took a few photos of it also).
Would be interested to hear your response as it might give this another angle entirely, haha.
My personal experience with PayPal isn't particularly great,
I'm a security researcher who's just turned 18, and even when I was underage I never actually disclosed that but regardless I had the following knocked back;
(Whole heap of non-critical XSS's, and two critical stored ones, The ability to edit titles on some PayPal subdomains (without giving too much information out) - This vulnerability still exists but I was told it was quote "not serious" even though the title field was vulnerable to stored XSS.
Full path disclosures, open administrative panels, whole variety of cookie/SSL/TSL based issues which I was told did not warrant a bounty.
Also had a personal friend (the same guy who found the XSS you've posted here) find a couple SQLi's on a few PayPal domains (post-auth) and he still hasn't heard back from them.
I'm not going to be the guy to accuse PayPal of not playing fair here, but my friend has also reported vulnerabilities I had previously reported and gotten paid for them. (Might be because he reports them from his security company email, whereas I was reporting them as an individual).
On a sidenote, does anyone have a good setup for browsing securely to avoid issues like this? I ran with JS restricted to a whitelist for a while, but many random websites that I have to use require it these days.
Can you use something like Ghostery to allow any site to do its own JS but not external JS, besides whitelisted sites/externals?
Run your browser in private mode, or create a separate user account and run the browser under that. Or just use a different browser for the "secure stuff" (E.g. your online banking etc.). Then it doesn't matter what kind of xss trickery they throw at you, cause your cookies aren't accessible to the browser.
I suppose it might be useful with a browser extension/feature that allowed you to lock access to certain site's cookies until you have explicitly granted use. Sort of like how the keychain works on os x.
Bitcoin is not mtgox or any other exchange. But to be fair, bitcoin itself had its share of security issues (fixed, but who knows what the future holds)
Kudos for them being honest with both the bug and their age regardless.
The future is probably filled with teenagers discovering things, good and bad.
Teenagers are still prosecuted as adults but legally treated as less for other responsibilities.