PayPal Vulnerability Finally Closed

[CommanderFrank]

Good news for PayPal users; PayPal finally closed off the vulnerability that would allow hackers to gain access to the user’s personal information. The hole was discovered two weeks ago, but PayPal officials felt the risk to users security was minimal. The hole would have gone undiscovered by PayPal until a 17 year old student found it, but was denied a reward for reporting it due to his age.

When PayPal didn't allow him to participate in the program because he wasn't yet 18, the student released the details of his discovery on the Full Disclosure security mailing list, but only after giving PayPal a week's period of grace, which the company allowed to pass.

 

[mynamehere]

Great way to give incentive to kids under 18 to report their findings.
What a bunch of butt nuggets.

 

[Red Squirrel]

Yeah that's retarded. I guess anyone under 18 who finds a security flaw will just release it to the "black hat" hacker community instead now. May as well.

And it sounds like they were fluffing it off too. A security exploit that can reveal users' personal info is quite bad if you ask me... people have their banking and cc info and stuff on there. But as long as it does not affect the CEO or shareholders then all is cool right?

 

[Spidey329]

Great way to give incentive to kids under 18 to report their findings.
What a bunch of butt nuggets.

It's utterly despicable. To use a slight loop-hole to get out of paying for something they should pay for. Shows just how poor of a corporation PayPal is.

 

[WorldExclusive]

Can't enter into a contract with someone under 18, but they could have given a scholarship in exchange.

 

[Megalith]

Two weeks? In the words of Roman Pearce, are you serious right now?...

 

[boss99]

Why should they care? It's not like they're a bank or some other financial institution that's regulated and monitored and they basically created their own market and control it.

 

[rand4505]

In all fairness to Paypal it aint so simple. They are having to comply with child labor laws in the US, and those forbid them from paying(employing) this kid. However they could have offered to pay it to his parents or find some other means. By not aggressively looking for other means to compensate the kid they come off as asshats, but the laws need to be fixed too, its not a cut and dry situation.

 

[Red Squirrel]

In all fairness to Paypal it aint so simple. They are having to comply with child labor laws in the US, and those forbid them from paying(employing) this kid. However they could have offered to pay it to his parents or find some other means. By not aggressively looking for other means to compensate the kid they come off as asshats, but the laws need to be fixed too, its not a cut and dry situation.

I don't get that though, you can work at 16, so how is giving a prize in violation of labour laws? Not like he was actually hired or obligated to do what he did anyway. It's equivalent to giving a birthday present or something. Bah, US law is so weird sometimes. Too much red tape and crap. I blame lawyers.

 

[rand4505]

The Kid is from Germany not the US the article linked by [H] fails to mention that. So Paypal has to comply with the labor laws that cover foreign citizens.

http://www.pcworld.com/article/2039940/paypal-denies-teenager-reward-for-finding-website-bug.html

Paypal pays the bounties via ofc Paypal, and you must be 18 to comply with govt regulations.

"The Federal Labor Standards Act has provisions about anyone under the age of 18 working for companies whose revenue is greater than $500,000. It sucks to be a kid for a lot of reasons." from HN comments here -> https://news.ycombinator.com/item?id=5771647

 

[jojo69]

or make a scholarship and award it to the kid

no mercy here, die in a fire PayPal

 

[Spidey329]

Can't enter into a contract with someone under 18, but they could have given a scholarship in exchange.

It's still a horrible copout. They could have even written the check to the parents. It's just about them trying to shave a few bucks.

 

[Red Squirrel]

Yeah I still don't see how giving something, even some recognition, has anything to do with labour laws. Not like they assigned him a task. Though corporations tend to have lot of red tape and so does the law so it's just an all round BS situation given the simple act of giving something is rendered super complex. But yeah there's plenty of simple workarounds they could have done anyway such as giving it to the parents. It's not like the kid is asking for a million bucks or anything. Could hundred maybe would make him real happy and that's peanuts for a corporation. They probably made more than that in the time it took them to say no.

 

[Methadras]

All paypal did in this case is give a giant fuck you to anyone that would help them reward or not. Who the fuck runs their PR department? What a moronic move.

 

[BoogerBomb]

The race is on by the teens out there to find more vulnerabilities to publish as punishment. Do they not know that more times than not, I bet, it's a teenager that finds serious vulnerabilities?

 

[Devistater]

If you are feeling sympathetic for paypal, you probably didn't RTFA.

They also said that he wasn't the first to report it. Which means they've known about it and not bothered to fix it for longer than 2 weeks.

 

[Red Squirrel]

What sucks is if someone was to hack them they'd be sent to jail. In reality, it should be Paypal held responsible for not bothering to fix the exploit. This is why I think hacking should be legalized. It's time for companies to be held more liable for securing their stuff instead of depending on the law.

When Paypal found out about this exploit they should have dropped all tools to fix it, and also disable the broken part completely. Heck, disable the entire site/service if you have to. A security exploit with what is basically a bank, is serious business. But of course they're more worried about their bottom line so they'd never do that. If someone gets their bank account emptied because someone hacked into Paypal, they could not care less.

 

[BoogerBomb]

If you are feeling sympathetic for paypal, you probably didn't RTFA.

They also said that he wasn't the first to report it. Which means they've known about it and not bothered to fix it for longer than 2 weeks.

Fuck no I'm not. I'm saying they may have fucked themselves. The next person may just skip Paypal and go straight to public release.

 

[flatrock]

Can't enter into a contract with someone under 18, but they could have given a scholarship in exchange.

That just means they couldn't have a legally binding agreement in which he would have to keep quiet about the security hole.

If they were a little smarter they would have agreed to pay him the money after a certain amount of time had passed. If he didn't keep his mouth shut until after they had enough time to fix it, he wouldn't get his money. If he did live up to his end of the agreement they would be legally required to pay him.

A contract cannot be enforced against someone under 18. However, if someone over 18 can still be held accountable for agreements make with minors.

They should have a plan in place to deal with minors reporting security holes, and not one that discourages them from doing so in the future.

Pay the kid the finder's fee and thank him publicly, then come up with a better process for the future.

 

[Deleted member 88227]

Can't enter into a contract with someone under 18, but they could have given a scholarship in exchange.

Google and other companies have had no problems at all paying that same 17 year old for finding exploits in their systems as well. So why can't Paypal do the same? Because Paypal sucks, that's why.

 

[niffcreature]

IDGAF personally, all I use is VCCs for paypal and people know how to cancel the credit cards...

They must have told him he wouldnt get a reward BEFORE the 2 week period... I wonder how many SSNs were leaked?

 

[Ocean]

Could they wait until he is 18 to give him the money?

 

[Cbshahji]

greedy bastards, give the nice kid scholarship for whichever university he wants to go to/is in. no need to wait for him to turn 18 + tax brake.

 

[TechLarry]

Paypal finally closed? WooHoo !

 

[Swat]

Paypal finally closed? WooHoo !

Nope, sorry we are not closed

Actually they are hanging a huge sign out front of the office that we're hiring.