PayPal vulnerability finally closed

On Wednesday night, payment processor PayPal closed the security hole in its portal that had been publicly known for five days. The company had been aware of the vulnerability for about two weeks. The hole was a critical one: it allowed attackers to inject arbitrary JavaScript code into the PayPal site, potentially enabling them to harvest users' access credentials.

Why PayPal took so long to fix the hole is incomprehensible – the information required to exploit the hole has been circulating on the net since last week and there was an urgent need for immediate action. In similar cases, affected companies tend to respond within 24 hours.

Another cause for irritation is that, even as late as Tuesday, a PayPal spokesperson told The H's colleagues at heise Security that "at this moment, there is no indication" that PayPal customer data is at risk – despite heise Security providing proof to the contrary by embedding their own login form into the HTTPS-secured PayPal site. Attackers with a little more criminal motivation could have injected a phishing page that, at first glance, looked identical to the original.

The vulnerability was discovered by Robert Kugler, a 17-year-old student, who originally wanted to report it via the bug bounty program that the company launched last year. When PayPal didn't allow him to participate in the program because he wasn't yet 18, the student released the details of his discovery on the Full Disclosure security mailing list, but only after giving PayPal a week's period of grace, which the company allowed to pass. 

Kugler reports that he received another email from PayPal yesterday in which the company said: "the vulnerability you submitted was previously reported by another researcher", which suggests that the company knew of the problem for more than two weeks before moving to fix the issue. PayPal says it is for this reason that they are not paying Kugler the bug bounty and chastises Kugler for disclosing the issue to the public. The company is, though, offering to send the young researcher a "Letter of recognition" for his investigation.