A tale of three bug bounties
I have been lately shiftless regarding publishing and my recent articles on Infosec Institute were more descriptive than technical. Thus, I decided to write this blog post about three interesting security vulnerabilities I discovered in three programs : (1) PayPal, (2) and (3) are private programs on HackerOne that I will not be disclosing. The security flaws will be in the following order :
- Insecure Direct Object References : Partial disclosure of users payment information.
- Sensitive Information Disclosure : Users PII disclosure (Including hashed passwords)
- PayPal Unvalidated Redirect leading to Potential Cross-Site Scripting (XSS)
The first vulnerability was found two days before heading to DefCon 😀 The bug affected a recent acquisition of a quiet renowned U.S corporation. It was an Insecure Direct Object References which occurs when there are insufficient authorization checks performed against object identifiers used in requests. However, the vulnerable endpoint was an internal API that was used to retrieve data and the API edge in question was not visible to the naked eye which required me to perform a quick manual bruteforcing against the endpoint using common API edges.
The API endpoint you can spot while capturing HTTP requests was :
This would return user profile information. The invisible edge was ‘credit_cards‘ followed by Node ‘CC_ID‘ which identifies the user’s credit card information :
Otherwise the address mail associated with user PayPal account will be revealed
PRO-TIP: If you ever come across undocumented or internal API, always try to a conduct a comprehensive mapping and recon to uncover all edges that might lack sufficient authorizations.
July 24th, 2016 : Discovered, reported then fixed at the same day.
July 25th, 2016 : Bounty awarded $2000
The second security vulnerability was recently identified in another private program particularly in obsolete login endpoint. When you try to login using an invalid password, the application is likely to display a basic authentication login error, however the secret to finding bugs is by capturing and analyzing HTTP traffic in which you will notice that the login HTTP response, formatted in JSON, reveals users’ Personal Identifiable Information (PII) as well as hashed password (Salted SHA-1, Bycrypt) as you can see in the below screenshot :
The service is used by over than six million IT professionals and it was very sufficient to enter any e-mail in order to disclose the account’s hashed password and important information. The security team quickly handled the report, but unfortunately the payout was not as expected.
December 4th, 2016 : Dicovered and reported
December 7th, 2016 : Bounty of $1000 Awarded
If you try to redirect to an external domain such as :
it would not succeed and you are likely to be taen back to PayPal homepage.
However, I found that three forward slashes would bypass the validation in place, so the exploitation will be as follows :
First thing I did was to try and escalate this unvalidated redirect to an exploitable Cross-Site Scripting (XSS). I used the Data: trick
October 22th, 2016 : Discovered and Reported to PayPal
November 2nd, 2016 : Confirmed by PayPal
November 22th, 2016 : Initial bounty of $750
December 7th, 2016 : Vulnerability patched and a final payment of $750 ($1500 total)
The article came to its end, hoping that the minutes you spent reading it were very worth it. Please do not hesitate to post a comment shall you have any question, remark or suggestion.