A 17 year old German schoolboy posted information over the weekend regarding an apparent cross site scripting (XSS) vulnerability in the popular money transfer site PayPal. The problem lies in the site’s search function and at least in the German version of the website can be triggered by using a string of Javascript alert code.

Robert Kugler, the security researcher behind the bug posted details about the vulnerability on the Full Disclosure mailing list Friday. Now Kugler is finding his name in the headlines after PayPal allegedly informed him he was too young to qualify for an award.

“Unfortunately PayPal disqualified me from receiving any bounty payment because of being 17 years old…” Kugler, who turns 18 next March, wrote on Seclists.

Kugler wrote in the post that he’s interested in securing computer systems and in the past has dug up bugs for Microsoft – his name is listed in the security researcher acknowledgments last month – and found flaws in Mozilla’s Firefox browser on two separate occasions.

PayPal started its bug bounty program last June, following in the footsteps of companies like Mozilla and Facebook who over the last few years have set up systems to responsibly disclose bugs. While Kugler’s bug does appear to be in scope with its program as it is new and is on the valid PayPal web site, PayPal fails to mention an age requirement for security researchers in its terms and conditions.

While it isn’t clear if PayPal is planning to fix Kugler’s vulnerability right away – emails to the company were not immediately returned on Tuesday – it fixed a similar XSS flaw last fall that allowed the execution of client-side script and browser cookie hijacking.

Categories: Vulnerabilities, Web Security

Comments (6)

  1. LeeW

    Wake up PayPal!
    You are the #1 money transfer site in the world (IMO).
    Why? SECURITY and a very good reputation for transferring money.
    This young person found a threat to your reputation and made you aware of this problem. He was old enough to find it and he/she is certainly old enough to collect according to your public bounty offering…
    This is another facet of PayPal? Oh!! Maybe I and millions of others have need to re-think PayPals morays.

    PayPal is bruised in my previous opinion of PayPal. Fix this and pay what you publicly agreed to pay!

  2. Gary

    Per their bounty terms, “payment is paid out through a verified PayPal account, once the bug is fixed.” According to their user agreement terms for setting up a PayPal account, “you must be at least 18 years old and a resident of the United States or one of the countries listed on the PayPal WorldWide page.” So I’m guessing this is where things went awry if he didn’t have a parent/guarding help him set up a PayPal account prior to submitting his bug report.

  3. Dave

    Pay the kid… Ok, so maybe he didn’t exactly meet the rules, would you rather he had not disclosed the vulnerability? Be big about it, cut him some slack and a check.

Comments are closed.