responsible disclosure

PayPal Addresses Months-Old SQL Injection Vulnerability, Frozen Accounts

Researchers with Vulnerability Lab today announced mega payment processor PayPal has fixed a flaw on its site that allowed a remote user or a local user with low privileges to compromise a Web application using a blind SQL injection.The vulnerability was first reported to PayPal back in August, according to Softpedia, but the company waited until now to announce a fix. PayPal awarded the researchers a $3,000 bounty for responsibly disclosing their find.

A Sprint spokeswoman today responded to a software developer’s claim that millions of Virgin Mobile users are vulnerable to attacks due to inadequate authentication mechanisms.In an email sent to Computerworld, Stephanie Vinge Walsh said Virgin Mobile, a subsidiary of Sprint, has multiple safeguards to prevent someone from tampering with users’ accounts.

Adobe took pains to defuse a dispute between the company and famed Google security researcher Tavis Ormandy, posting more information about the holes fixed with a patch for its Flash Player software. Adobe had claimed that 13 separate vulnerabilities were patched with the bulletin APSB11-21, while Ormandy said that patch addressed hundreds of holes. 

Google security researcher Tavis Ormandy has set the cat among the “responsible disclosure” pigeons with the release of technical details of a zero-day vulnerability affecting the Microsoft Windows Help and Support Center without giving Microsoft adequate time to prepare a patch.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.