Identification Bypass on PayPal (Bug Bounty)
First published Sun Dec 18 16:10:25 2016 +0900 ; substantive revision Sun Dec 18 16:20:04 2016 +0900
Summary
- There was a flaw on PayPal which allows users to change the names on their accounts, bypassing the required identity verification procedure based on some official documents.
- PayPal fixed the bug after my reports to the Bug Bounty Program, even though PayPal estimated the bug to be worth rewarding only “nominal bounty” instead of regular one.
Details
It was a logical kind of vulnerability. Nothing technically special, but the case may help to embody the coming post-XSS world.
Risks
PayPal users are prohibited to change one’s name on his/her PayPal account to a different person’s name. In case of necessity, users must provide their identity documents to PayPal in order to prevent “identity theft, money laundering, and the financing of terrorism” (see the video above); and it seems that real people in cooperation with PayPal verify them.
However, the bug had allowed users to bypass the identification procedure and to change one’s name to arbitrary one. By this, a malicious user possibly could get verified by PayPal once with the legitimate procedure, and then “become” whoever he/she want to be.
Timeline
Report #1
| Date | |
|---|---|
| March 2015 | Reported the bug |
| April 22, 2015 | Received an initial response |
| May 22, 2015 | Received an initial part of the bounty |
| 2015 Summer | PayPal largely redesigned the website, and the bug was fixed at the same time (at least, became no longer vulnerable) |
| November 19, 2015 | PayPal BBP “have determined that this issue will not be fixed”, because the bug was “not actionable” (but you fixed it, aren’t you?) |
| December 4, 2015 | Received a complemental “nominal” (term used by PayPal BBP) bounty |
Report #2
| Date | |
|---|---|
| December 11, 2015 | Found a similar but unfixed bug at another place and reported it again |
| January 22, 2016 | Received an initial part of the bounty |
| April 23, 2016 | PayPal BBP told me that the bug “has been fixed”, but I reconfirmed that the bug hadn’t been fixed yet |
| April 29, 2016 | Received a complemental final bounty (which was independently evaluated but less than #1 in total) |
| April 29, 2016 | Replied (with a PoC video) to PayPal BBP that there still was the flaw |
| April 30, 2016 | PayPal BBP decided to work on the issue again |
| December 2, 2016 | I noticed that the bug had been fixed one day by then, and asked PayPal BBP for an update |
| December 13, 2016 | PayPal BBP confirmed that the bug had been fixed but with no mention of bounty |
Remarks
In my opinion, it took a too long time to handle the bug, and PayPal BBP may have underestimated the flaw. At the time of my reports, PayPal BBP had prescribed that up to $3000 would be rewarded for reporting authentication bypasses1 (and $750 for CSRF was minimal listed, while the total amount I received for the identification bypasses is less than $750.) Both identification and authentication bypass matter more or less2, even though flaws in identification are far less common than those in authentication. Admitting the BBP has total say on the evaluation, the criteria may be unclear.
After all I felt a bit unfairly treated in terms of “bug bounty”, compared to my experiences in other bug bounties. Anyway, as a PayPal user, I feel easier using the safer PayPal. Thanks PayPal BBP and the team!
[FOOTNOTES]
