Sophos Cloud Optix
German student Robert Kugler, 17, says he found a bug on PayPal’s site.
Being a good netizen, he responsibly disclosed the bug by contributing it to PayPal’s Bug Bounty Program.
PayPal’s response was twofold: First, somebody else already found the cross-site scripting (XSS) flaw, the company said.
Secondly, ‘thanks, but no thanks, kiddo – you would have been too young to participate anyway’.
PayPal, did you irk a budding security researcher?
It certainly seems so, as Kugler’s next step was to do what is universally accepted in the security industry as irresponsible – he publicly disclosed the bug.
Kugler’s remark, from his May 24 full disclosure posting:
"I don’t want to allege PayPal a kind of bug bounty cost saving, but it’s not the best idea when you're interested in motivated security researchers ..."
PayPal emailed this statement in defense of its actions to TechWeek Europe:
"While we appreciate Mr. Kugler’s contribution to PayPal’s Bug Bounty Program, we can confirm that the cross-scripting vulnerability he identified was already discovered by another security researcher and Mr. Kugler is ineligible to participate in the program since he is under 18 years old."
The flaw, found in PayPal’s search function, can be triggered with JavaScript code, as is common with XSS flaws.
The mischief that can be done with XSS flaws is exemplified in myriad ways, including Twitter getting exploited over its ” onMouseOver” vulnerability and Yahoo accounts getting hijacked via a flaw in the company’s YDN blog page.
Kugler said he notified PayPal of the vulnerability on May 19 but was told that because he’s under the age of 18, he’s ineligible for the Bug Bounty Program. He turns 18 in March 2014.
One problem: in spite of PayPal’s having cited an age guideline, no such age limit is apparent on its Bug Bounty Program site.
Unsurprisingly, PayPal is taking a licking on Reddit over the perceived faux pas.
Redditor “x9k” notes, for example, that both Google and Mozilla pay underage bug finders with the go-ahead from an adult.
x9k goes on to post the following incidents concerning security researchers, one of whom, at least, is far younger than Mr. Kugler:
- Mozilla paid a 12-year-old boy $3,000 for a flaw in the memory of the Firefox browser.
- Teenager “Pinkie Pie” received a $60,000 bounty for finding a flaw in Google’s Chrome browser.
- Fifteen-year-old Norwegian Cim Stordal, who made the Google Security Hall of Fame, was credited with disclosing an XSS issue to Apple, was thanked by Microsoft officials for disclosing a security vulnerability, and received a “White Hat” Visa card from Facebook worth $500 credit.
At any rate, PayPal said in its statement that it’s working to fix the XSS issue, which hasn’t yet been exploited:
“We are working quickly to fix the cross-scripting issue, and we have not found any evidence at this time that our customers’ information has been compromised by this vulnerability."
Was PayPal right to not pay Kugler?
On the basis that others found the bug first, declining to pay him is defensible, regardless of his age.
PayPal subsequently sent me a statement to that effect:
"In this specific situation, the cross-site scripting vulnerability was already discovered by another security researcher, so it would not have been eligible for payment, regardless of age, as we must honor the original researcher that provided the vulnerability."
But I think not paying him on the basis that Kugler isn’t 18 is utterly feeble. Yes, of course companies like PayPal should pay security researchers who find bugs, regardless of their age.
Were Kugler the first to find the flaw, he should have gotten paid, end of story.
The last thing that the world of information security needs is to discourage up-and-coming security researchers.
PayPal is eating a bit of humble pie over this one, looking at ways to better encourage young security researchers in the wake of the bad publicity it’s getting over dissing Kugler.
To wit, it’s going to send him a letter (hopefully, a respectful and apologetic one). From PayPal’s statement:
"We appreciate the security researcher's efforts and this situation illustrates that PayPal can do more to recognize younger security researchers around the world. As a first step, we are sending an official letter of recognition for the researcher's contribution and we are exploring other ways to recognize younger security researchers when they do discover a vulnerability and responsibly disclose that discovery."
OK. As a first step, a letter is, likely, better than nothing.
But I don’t understand why PayPal has to explore “other ways to recognize younger security researchers” when they discover and responsibly disclose a vulnerability.
The company already has a way to recognize bug finders. That way is cash. Why should age play a part in rewarding a bounty?
And on the subject of public disclosure, should Kruger have publicly disclosed the bug, out of spite?
No.
But hell hath no fury like a security researcher scorned.
Images of bug and teenager courtesy of Shutterstock.
"Why should age play a part in rewarding a bounty?"
Errrr, for legal reasons?
We've frequently heard of youngsters getting away with virus writing and hacking because they were under 18 and thus too young to be treated as adults. So youngsters under 18 in Germany could use illegal ways to find bugs for bounty programs knowing that if they were caught, little or nothing would happen, but if they weren't, and succeeded, they'd be eligible for the same cash rewards as Big People. If adults followed the same track, they could be in serious trouble. So having an 18-limit keeps a legally-level playing field.
(He didn't exactly behave like an adult when PayPal told him someone else beat him to it.)
1)”Illegal ways to find bugs”: I can’t think of any real-world examples regarding that, absolutely.
Illegal ways to exploit bugs: Yes.
2) I am from Germany. It is perfectly legal to pay hard work over here and it should be.
3) Other companies are paying underaged security researchers. Why isn’t PayPal? That’s what Sophos wanted to point out here I think and it’s a perfectly fine question.
From memory, most bounty programs include a special disclaimer about paying out only for bugs found using lawful and non-disruptive means.
For example, let's say you found an information disclosure flaw, but only by DDoSsing the site with a botnet until it collapsed. Or you found a buffer overflow in a company's web server, but only by breaking in to the company's engineering network and stealing source code.
Just another example of the entitlement young Internet users have these days. "You didn't pay me, so now I'm going to disclose this vulnerability". The real issue here is this "security researchers" lack of ethics.
We don't hire people under 18 where I work either, but I always supposed there were valid business reasons for not doing so. Perhaps we're just evil like Paypal and have it out for those young whippersnappers.
Now that is supporting young talent.
Can I spot some jealousy in your post? Either that or plain ignorance.
Work has to be honoured if it is done. If PayPal promises a bounty it has to pay; if they do not specify in the first place who is entitled to win, they have to pay to anyone. Period.
"Now that is supporting young talent."
He lost my support when he disclosed the vulnerability. Ethics are important too, and in short supply it seems.
"Work has to be honoured if it is done"
No, it doesn't as you can plainly see. In this case, the bug was already reported and the reporters age did not comply with the bounty program. It's Paypal's program, not yours. It seems to me there is a ton of ambiguity in most of the bounty programs. Hell, they don't even provide a bounty amount in some cases. I suppose that's what you get for this kind of work.
How do you know I"m not jealous AND plain ignorant anyway? Perhaps that's harder to spot?
Kind of funny how quick you are to just say his problem is a "lack of ethics". A lot of hackers consider it perfectly acceptable to notify a company and then after a period of time release the vulnerability. This gives the company time to fix the problem while also lighting a bit of a fire under them to fix it.
So here we have a kid told, "Sorry, you were not the first to find it, and well we wouldn't pay you anyways because of a rule we can't bother posting." He then goes on to release the vulnerability. I do not really see this being a huge problem ethically. PayPal already got the "warning shot" from another researcher. Now this kid has lit the fire.
So is he Kruger or Kugler?
Seems he's Kugler. I'll edit this…thanks for spotting!
I reported about 10 vulnerabilities to PayPal and all were 'duplicated'.
http://img819.imageshack.us/img819/8236/paypalbug…
I, for one, will not be ostracizing Kugler for his find. PayPal could have done a couple of things differently in this situation. First, they could have dismissed Kugler's find as already having been identified… without age being brought into it. Second, bringing up the age factor, when it is not openly cited on their Bug Bounty program, is flat out wrong. However, I can understand why the age limit should be in place, as one of the previous posters cited, and that is legality/accountability.
That being said, Mr. Kugler did not help his, nor any other junior security researcher's case, by spitefully disclosing the vulnerability in a public forum.
Both sides could have handled it much better and achieved better results.
I strongly disapprove his act of publicly disclosing the bug because many PayPal users around the globe shall face complicated issues if a black hat hacker takes advantage of it.
Putting millions of people's financial information in danger just because you did not get paid is a selfish act. In my opinion he doesn't even deserve a letter.
I am surprised that the author wrote an entire blog post in favor of this fellow criticizing PayPal but did not notice the gravity of his actions.
I believe the post just did notice that: "It certainly seems so, as Kugler's next step was to do what is universally accepted in the security industry as irresponsible – he publicly disclosed the bug."
Perhaps not the gravity, but the sheer fact that this was irresponsible certainly.
Even though this act in this case was irresponsible there is a very narrow line between what is the correct action in a situation like that.
1. Disclosing the information itself does not endanger the users, since the danger comes from the bug and not from the disclosure of the information. However the disclosure of the information may increase the danger.
2. Keeping the information secret may also increase the danger when the entity in the capability of fixing the bug does not responsibly and appropriately acts. In such situation informing the users of the security flaw may significantly reduce the danger.
The question: which comes first, what is the point when disclosing the information does more good than harm probably can not be reasonably answered. The one, who has the information in hand decides.
From time to time there are movements that would like to take the decision from the hand of the person threatening such a disclosure with legal counter actions. However this leads to the field of free speech that – in my opinion – prevails at all costs. Even the cost of information security. You just do not want to live secure: locked up in a prison. This leads too far to discuss here.
He's perfectly fine. PayPal acted like scumbags, let's not forget it. Bringing age discrimination into it? Really smart. That will surely motivate underage researchers to report their findings…
Also everyone seems to be forgetting that this is a common practice in this industry to publish this kind of findings after enough time for the company to fix the issue. Clearly PayPal thinks that age is a factor to break the specified rules. It might seem harsh what he did but it's PayPal who made up rules on the spot – they're not in the guidelines, ditto! That at least brought enough publicity to the issue. PayPal is in the wrong and they should be called on it.
See this is just plain stupidity and anal head cells at its absolute finest. Paypal could have soared in terms of trust had they have rewarded the lad. Jeez a few K to them is like a penny to us.
I actually did not know this and will be closing my paypal account and looking at alternative ways to have that type of facility.
This makes no sense…Paypal…why when other companies do something like this and then they pay out to someone who is only 12 years old…so why doesnt paypal…their logic makes no sense what so ever!
Why can't bounties be shared between all those who discover a particular vulnerability, prior to the vulnerability being patched?
Well, you can say that he was selfish in disclosing it, BUT, Paypal was also selfish in not rewarding him in the first place.
Saying that someone had already beaten him to it does not encourage young researchers to submit problems as they will wonder whether it will be accepted.
Maybe they should have a site that you can access where it shows what bugs have been reported. I am sure a sanitised version of the bug could be put up there.
I would suggest that part of Kugler's thinking was "since PayPal claims they have already been notified about the bug then disclosing the issue is no big deal since they should have fixed it by now then." Not saying it is right… just his judgment being skewed a bit I guess with a bit of prove it mentality.
What other recourse does someone have that sees an actively exploitable bug, and are told "without proof" that we already know about that? Again I am not suggesting what he did was right… just wondering what would have been better?
Looks like it's hands down for payment. Typical Pay-Pal operations. I don't and will never use them and everything with them seems to become so involved it isn't worth the time.
It would be nice for them to announce who did collect on it and when they were acknowledged to have announce it to Pay Pal. This would help. Sounds like they were going to stiff him no matter what.
Another vote for the corporate people?
Jack
Did someone actually previously find the bug, or was this just an excuse to avoid paying a reward? Age should not be an issue in this matter; isn't the internet supposed to be age/gender neutral?
Paypal are doubly wrong.
If they knew about the bug they should have expedited counter-measures. The reward should be available to all who told them about it before they killed the bug.
Secondly, having made and broadcast the rules, they are altering them retrospectively.
I do not condone the youngster's behaviour in publicly disclosing the bug, but that is liable to happen when a juvenile trouble-shooter is shunned by the company he tried to help.
Way to go Paypal – way to inspire our youth to explore and excel – though to be honest, don't expect much from you guys – and you deliver – in spades.
And on the subject of public disclosure, should Kruger have publicly disclosed the bug, out of spite?
Yes. As we see, it works. Otherwise the behavior of PayPal would have been forgotten which would be bad.
The age issue is moot as the cross-site scripting (XSS) flaw was previously reported in November of 2012. In this case, paypal’s refusal was legit. If you need confirmation, google it.