A 17 year old German schoolboy posted information over the weekend regarding an apparent cross site scripting (XSS) vulnerability in the popular money transfer site PayPal. The problem lies in the site’s search function and at least in the German version of the website can be triggered by using a string of Javascript alert code.
Robert Kugler, the security researcher behind the bug posted details about the vulnerability on the Full Disclosure mailing list Friday. Now Kugler is finding his name in the headlines after PayPal allegedly informed him he was too young to qualify for an award.
“Unfortunately PayPal disqualified me from receiving any bounty payment because of being 17 years old…” Kugler, who turns 18 next March, wrote on Seclists.
Kugler wrote in the post that he’s interested in securing computer systems and in the past has dug up bugs for Microsoft – his name is listed in the security researcher acknowledgments last month – and found flaws in Mozilla’s Firefox browser on two separate occasions.
PayPal started its bug bounty program last June, following in the footsteps of companies like Mozilla and Facebook who over the last few years have set up systems to responsibly disclose bugs. While Kugler’s bug does appear to be in scope with its program as it is new and is on the valid PayPal web site, PayPal fails to mention an age requirement for security researchers in its terms and conditions.
While it isn’t clear if PayPal is planning to fix Kugler’s vulnerability right away – emails to the company were not immediately returned on Tuesday – it fixed a similar XSS flaw last fall that allowed the execution of client-side script and browser cookie hijacking.