Identification Bypass on PayPal (Bug Bounty)

First published Sun Dec 18 16:10:25 2016 +0900 ; substantive revision Sun Dec 18 16:20:04 2016 +0900

Tag : Security

 この記事は脆弱性"&'<<>\ Advent Calendar 2016の18日目です。17日目はThis is test blog: Facebook Bugbountyでした。



It was a logical kind of vulnerability. Nothing technically special, but the case may help to embody the coming post-XSS world.


PayPal users are prohibited to change one’s name on his/her PayPal account to a different person’s name. In case of necessity, users must provide their identity documents to PayPal in order to prevent “identity theft, money laundering, and the financing of terrorism” (see the video above); and it seems that real people in cooperation with PayPal verify them.

However, the bug had allowed users to bypass the identification procedure and to change one’s name to arbitrary one. By this, a malicious user possibly could get verified by PayPal once with the legitimate procedure, and then “become” whoever he/she want to be.


Report #1

March 2015 Reported the bug
April 22, 2015 Received an initial response
May 22, 2015 Received an initial part of the bounty
2015 Summer PayPal largely redesigned the website, and the bug was fixed at the same time (at least, became no longer vulnerable)
November 19, 2015 PayPal BBP “have determined that this issue will not be fixed”, because the bug was “not actionable” (but you fixed it, aren’t you?)
December 4, 2015 Received a complemental “nominal” (term used by PayPal BBP) bounty

Report #2

December 11, 2015 Found a similar but unfixed bug at another place and reported it again
January 22, 2016 Received an initial part of the bounty
April 23, 2016 PayPal BBP told me that the bug “has been fixed”, but I reconfirmed that the bug hadn’t been fixed yet
April 29, 2016 Received a complemental final bounty (which was independently evaluated but less than #1 in total)
April 29, 2016 Replied (with a PoC video) to PayPal BBP that there still was the flaw
April 30, 2016 PayPal BBP decided to work on the issue again
December 2, 2016 I noticed that the bug had been fixed one day by then, and asked PayPal BBP for an update
December 13, 2016 PayPal BBP confirmed that the bug had been fixed but with no mention of bounty


In my opinion, it took a too long time to handle the bug, and PayPal BBP may have underestimated the flaw. At the time of my reports, PayPal BBP had prescribed that up to $3000 would be rewarded for reporting authentication bypasses1 (and $750 for CSRF was minimal listed, while the total amount I received for the identification bypasses is less than $750.) Both identification and authentication bypass matter more or less2, even though flaws in identification are far less common than those in authentication. Admitting the BBP has total say on the evaluation, the criteria may be unclear.

After all I felt a bit unfairly treated in terms of “bug bounty”, compared to my experiences in other bug bounties. Anyway, as a PayPal user, I feel easier using the safer PayPal. Thanks PayPal BBP and the team!