PayPal Vulnerability Finally Closed

MajorDomo

Cat Can't Scratch It
Joined
May 9, 2000
Messages
75,453
Good news for PayPal users; PayPal finally closed off the vulnerability that would allow hackers to gain access to the user’s personal information. The hole was discovered two weeks ago, but PayPal officials felt the risk to users security was minimal. The hole would have gone undiscovered by PayPal until a 17 year old student found it, but was denied a reward for reporting it due to his age.

When PayPal didn't allow him to participate in the program because he wasn't yet 18, the student released the details of his discovery on the Full Disclosure security mailing list, but only after giving PayPal a week's period of grace, which the company allowed to pass.
 

mynamehere

[H]ard|Gawd
Joined
Jun 30, 2007
Messages
1,762
Great way to give incentive to kids under 18 to report their findings. :rolleyes:
What a bunch of butt nuggets.
 

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
Yeah that's retarded. I guess anyone under 18 who finds a security flaw will just release it to the "black hat" hacker community instead now. May as well.

And it sounds like they were fluffing it off too. A security exploit that can reveal users' personal info is quite bad if you ask me... people have their banking and cc info and stuff on there. But as long as it does not affect the CEO or shareholders then all is cool right?
 

Spidey329

[H]F Junkie
Joined
Dec 15, 2003
Messages
8,682
Great way to give incentive to kids under 18 to report their findings. :rolleyes:
What a bunch of butt nuggets.
It's utterly despicable. To use a slight loop-hole to get out of paying for something they should pay for. Shows just how poor of a corporation PayPal is.
 

WorldExclusive

[H]F Junkie
Joined
Apr 26, 2009
Messages
10,871
Can't enter into a contract with someone under 18, but they could have given a scholarship in exchange.
 

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,004
Two weeks? In the words of Roman Pearce, are you serious right now?...
 

boss99

2[H]4U
Joined
Dec 29, 2006
Messages
2,604
Why should they care? It's not like they're a bank or some other financial institution that's regulated and monitored and they basically created their own market and control it.
 

rand4505

Limp Gawd
Joined
Oct 25, 2007
Messages
272
In all fairness to Paypal it aint so simple. They are having to comply with child labor laws in the US, and those forbid them from paying(employing) this kid. However they could have offered to pay it to his parents or find some other means. By not aggressively looking for other means to compensate the kid they come off as asshats, but the laws need to be fixed too, its not a cut and dry situation.
 

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
In all fairness to Paypal it aint so simple. They are having to comply with child labor laws in the US, and those forbid them from paying(employing) this kid. However they could have offered to pay it to his parents or find some other means. By not aggressively looking for other means to compensate the kid they come off as asshats, but the laws need to be fixed too, its not a cut and dry situation.
I don't get that though, you can work at 16, so how is giving a prize in violation of labour laws? Not like he was actually hired or obligated to do what he did anyway. It's equivalent to giving a birthday present or something. Bah, US law is so weird sometimes. Too much red tape and crap. I blame lawyers. :p
 

rand4505

Limp Gawd
Joined
Oct 25, 2007
Messages
272
The Kid is from Germany not the US the article linked by [H] fails to mention that. So Paypal has to comply with the labor laws that cover foreign citizens.

http://www.pcworld.com/article/2039940/paypal-denies-teenager-reward-for-finding-website-bug.html

Paypal pays the bounties via ofc Paypal, and you must be 18 to comply with govt regulations.

"The Federal Labor Standards Act has provisions about anyone under the age of 18 working for companies whose revenue is greater than $500,000. It sucks to be a kid for a lot of reasons." from HN comments here -> https://news.ycombinator.com/item?id=5771647
 

jojo69

[H]F Junkie
Joined
Sep 13, 2009
Messages
10,564
or make a scholarship and award it to the kid

no mercy here, die in a fire PayPal
 

Spidey329

[H]F Junkie
Joined
Dec 15, 2003
Messages
8,682
Can't enter into a contract with someone under 18, but they could have given a scholarship in exchange.
It's still a horrible copout. They could have even written the check to the parents. It's just about them trying to shave a few bucks.
 

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
Yeah I still don't see how giving something, even some recognition, has anything to do with labour laws. Not like they assigned him a task. Though corporations tend to have lot of red tape and so does the law so it's just an all round BS situation given the simple act of giving something is rendered super complex. But yeah there's plenty of simple workarounds they could have done anyway such as giving it to the parents. It's not like the kid is asking for a million bucks or anything. Could hundred maybe would make him real happy and that's peanuts for a corporation. They probably made more than that in the time it took them to say no.
 

Methadras

Supreme [H]ardness
Joined
Dec 19, 2000
Messages
6,132
All paypal did in this case is give a giant fuck you to anyone that would help them reward or not. Who the fuck runs their PR department? What a moronic move.
 

BoogerBomb

Supreme [H]ardness
Joined
Jan 10, 2003
Messages
6,470
The race is on by the teens out there to find more vulnerabilities to publish as punishment. Do they not know that more times than not, I bet, it's a teenager that finds serious vulnerabilities?
 

Devistater

Gawd
Joined
Mar 29, 2001
Messages
651
If you are feeling sympathetic for paypal, you probably didn't RTFA.

They also said that he wasn't the first to report it. Which means they've known about it and not bothered to fix it for longer than 2 weeks.
 

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
What sucks is if someone was to hack them they'd be sent to jail. In reality, it should be Paypal held responsible for not bothering to fix the exploit. This is why I think hacking should be legalized. It's time for companies to be held more liable for securing their stuff instead of depending on the law.

When Paypal found out about this exploit they should have dropped all tools to fix it, and also disable the broken part completely. Heck, disable the entire site/service if you have to. A security exploit with what is basically a bank, is serious business. But of course they're more worried about their bottom line so they'd never do that. If someone gets their bank account emptied because someone hacked into Paypal, they could not care less.
 

BoogerBomb

Supreme [H]ardness
Joined
Jan 10, 2003
Messages
6,470
If you are feeling sympathetic for paypal, you probably didn't RTFA.

They also said that he wasn't the first to report it. Which means they've known about it and not bothered to fix it for longer than 2 weeks.
Fuck no I'm not. I'm saying they may have fucked themselves. The next person may just skip Paypal and go straight to public release.
 

flatrock

Limp Gawd
Joined
Apr 7, 2010
Messages
144
Can't enter into a contract with someone under 18, but they could have given a scholarship in exchange.
That just means they couldn't have a legally binding agreement in which he would have to keep quiet about the security hole.

If they were a little smarter they would have agreed to pay him the money after a certain amount of time had passed. If he didn't keep his mouth shut until after they had enough time to fix it, he wouldn't get his money. If he did live up to his end of the agreement they would be legally required to pay him.

A contract cannot be enforced against someone under 18. However, if someone over 18 can still be held accountable for agreements make with minors.

They should have a plan in place to deal with minors reporting security holes, and not one that discourages them from doing so in the future.

Pay the kid the finder's fee and thank him publicly, then come up with a better process for the future.
 
D

Deleted member 88227

Guest
Can't enter into a contract with someone under 18, but they could have given a scholarship in exchange.
Google and other companies have had no problems at all paying that same 17 year old for finding exploits in their systems as well. So why can't Paypal do the same? Because Paypal sucks, that's why.
 

niffcreature

Limp Gawd
Joined
Apr 2, 2010
Messages
143
IDGAF personally, all I use is VCCs for paypal and people know how to cancel the credit cards...

They must have told him he wouldnt get a reward BEFORE the 2 week period... I wonder how many SSNs were leaked? :D
 

Ocean

Supreme [H]ardness
Joined
Oct 19, 2003
Messages
4,924
Could they wait until he is 18 to give him the money?
 

Cbshahji

[H]ard|Gawd
Joined
Jul 3, 2010
Messages
1,951
greedy bastards, give the nice kid scholarship for whichever university he wants to go to/is in. no need to wait for him to turn 18 + tax brake.
 
Top