AfterDawn: Tech news

PayPal pays $10,000 to discoverer of massive security flaw (+video)

Written by James Delahunty @ 07 Dec 2014 7:57 User comments (4)

PayPal pays $10,000 to discoverer of massive security flaw (+video)

An Egyptian security researcher has scooped the top payout for security bugs from PayPal for discovering a massive security flaw that exposed the accounts of over 150 million users.
Yasser Ali was able to get around PayPal's CSRF Prevention System and capture an authentication token that could be used to effect a customer's PayPal account. You could add, remove or confirm e-mail addresses, add fully privileged users to a business account, change security questions, billing info, shipping info, payment methods and so on.

He disclosed the bug to PayPal and received the firms top award incentive for bug hunters, pocketing $10,000 for his work.

He also detailed how he beat PayPal's security systems on his blog, and provided this proof of concept video.





Via: Spohos (Naked Security)

Tags: PayPal
Previous Next  

4 user comments

18.12.2014 08:49

bloody hell! just shut the internet down for good already!

28.12.2014 14:30

Hi James, Evelyn here with PayPal. Any chance you can share your email address?

38.12.2014 14:46

Thank God for no-life losers that hack this crap morning, noon and night. To have honestly caught this, you'd have to eat, breathe, see, and think ones and zeros and likely don't have much of a life outside of the keyboard and mouse.

I am grateful though.

49.12.2014 14:48

they should've added another '0' onto that amount.

Comments have been disabled for this article.

Latest news

Does your phone rattle? Here's why it happens Does your phone rattle? Here's why it happens (25 Aug 2024 8:30)
When you shake your phone and hear a light rattle, clatter, or jingle, it's likely not broken. The culprit is probably the optical image stabilization (OIS) system in your phone's camera, meaning everything is functioning as it should.
2 user comments
CEO of Messaging App Telegram Arrested in France CEO of Messaging App Telegram Arrested in France (25 Aug 2024 7:12)
French authorities have detained Pavel Durov, CEO of the messaging service Telegram, amidst an ongoing investigation to determine whether Telegram moderates its platform adequately.
1 user comment
Roborock S8 MaxV Ultra review - obstacle avoidance doesn't work as it should, otherwise almost perfect robot vacuum Roborock S8 MaxV Ultra review - obstacle avoidance doesn't work as it should, otherwise almost perfect robot vacuum (15 Aug 2024 5:37)
We put the Roborock S8 MaxV Ultra through a very, very long review process. The $1800 mopping robot vacuum is almost perfect, but its obstacle avoidance was surprisingly bad, considering the price - and compared to its competitors.
End of an era: Sony to cease production of recordable Blu-ray discs End of an era: Sony to cease production of recordable Blu-ray discs (14 Jul 2024 5:31)
Sony has announced that it will cease the production of consumer-grade, recordable Blu-ray discs.
Sharge x OnePlus Pouch review: Beautiful power bank that supports SuperVOOC charging Sharge x OnePlus Pouch review: Beautiful power bank that supports SuperVOOC charging (14 Jun 2024 5:37)
In our review, we take a look at Sharge's power bank that supports OnePlus SuperVOOC quick charging technology as well as standard USB PD charging. It has small design flaws, but despite those, the Pouch is very nice product.
1 user comment

News archive