The computer security industry has made many positive changes since the early days of computing. One thing that seems to be catching on with bigger tech companies is bug bounty programs. PayPal offers such a program and [Yasser] decided to throw his hat in the ring and see if he could find any juicy vulnerabilities. His curiosity paid off big time.
Paypal is a huge player in the payment processing world, but that doesn’t mean they aren’t without their flaws. Sometimes the bigger the target, the more difficult it is to find problems. [Yasser] wanted to experiment with a cross-site request forgery attack. This type of attack typically requires the attacker to trick the victim into clicking a malicious link. The link would then impersonate the victim and make requests on the victim’s behalf. This is only made possible if the victim is logged into the target website.
PayPal has protection mechanisms in place to prevent this kind of thing, but [Yasser] found a loophole. When a user logs in to make a request, PayPal gives them an authentication token. This token is supposed to be valid for one user and one request only. Through experimentation, [Yasser] discovered a way to obtain a sort of “skeleton key” auth token. The attacker can attempt to initiate a payment transfer without first logging in to any PayPal account. Once the transfer is attempted, PayPal will request the user to authenticate. This process produces an auth token that apparently works for multiple requests from any user. It renders the authentication token almost entirely ineffective.
Once the attacker has a “universal auth token”, he can trick the victim into visiting a malicious web page. If the user is logged into their PayPal account at the time, the attacker’s webpage can use the universal auth token to trick the victim’s computer into making many different PayPal requests. Examples include adding email addresses to the account, changing the answers to security questions, and more. All of this can be done simply by tricking the user into clicking on a single link. Pretty scary.
[Yasser] was responsible with his disclosure, of course. He reported the bug to PayPal and reports that it was fixed promptly. It’s always great to see big companies like PayPal promoting responsible disclosure and rewarding it rather than calling the lawyers. Be sure to catch a video demonstration of the hack below. Continue reading “Hacking PayPal Accounts With CSRF”
Here’s a challenge tailored to our community if we’ve ever seen one. You know those delightful unsolicited prerecorded calls you get from time to time? They might be political, but they also come from companies trying to sell you vinyl siding, or promising improvements in your business. Well they’re against the law in many cases, and complaints to the Federal Trade Commission have been piling up. So now the FTC is offering a $50,000 bounty to anyone who can find a way to block the calls.
It’s called the Robocall Challenge and you’ve got until January 17th, 2013 to get your entry submitted. The great thing is, this doesn’t need to be a fully working solution. Your entry may be: “proposed technical solutions or functional solutions and proofs of concept “. Even better, you retain ownership of the solution even if you win. This type of recognition will surely have telco related companies beating a path to your door.
Of course if you do have a solution, we’d love to hear about it too!
[Thanks Filespace via WCPO]
If you spent your weekend outside and away from the Internet, you might have missed the massive liquidation of HP TouchPads on Amazon, woot.com, WalMart, and the HP online store. Normally a $100 fully featured tablet is nothing to scoff at, but there is a catch: The HP TouchPad runs WebOS. WebOS is a fine operating system for a tablet, but it’s not Android. The folks at HacknMod.com posted a bounty for the first person to port Android to the HP TouchPad.
HacknMod is offering up $450 for a basic Android port and is looking for sponsors for the WiFi, Audio, Camera, and MultiTouch bounties. There’s a lot of discussion about the port on the XDA Developers and the RootsWiki forums if you’d like to get a bearing on how far along the project is. The TouchPad has already been rooted so there’s your starting point.
We’d like to throw our hat into the ring, but we missed out on the TouchPad fire sale. If anyone knows of an online shop where they’re still available, leave a message in the comments.
Inspired by the successful Kinect bounty put out by Adafruit, [gallamine] of the RobotBox community has posted his own
$200 $400 bounty for the first person who can hack the scanning LIDAR from Neato Robotic’s XV-11 vacuumbot. This sensor would be particularly useful to any robotic makers out there, because even the full retail price of the vacuum is less than the cost of most standalone LIDAR units, which often run upwards of $1000. The bounty seems to be growing every day, starting out at $200, and doubling thanks to a couple of other interested parties.
Luckily, from what we hear, the sensor was never made to be hack-proof (and perhaps even secretly hack friendly?), seeing as one of the prime developers of the sensor is a member of a certain Home Brew Robotics Club. We love it when companies are nice to hackers, and we hope to see more examples of this in the future. Not sure what the XV-11 is? Be sure to check out the video after the break for info about the vacuum and its scanning LIDAR.
Continue reading “Newest Hardware Bounty, The Open Lidar Project”
We couldn’t help but poke a little fun in the headline. This is [Alex Miller], a twelve year old who claimed a $3000 bounty from Mozilla. See, [Alex] is a self-taught security guru. When Mozilla upped the reward for discovering and reporting critical security flaws in their software he went to work searching for one. He estimates that he spent an hour and a half a day for ten days to find the hole. Fifteen hours of work for $3000? That’s pretty good!
Is it good or bad to pay for these kind of submissions? The real question: Is the bounty high enough to get blackhats to report vulnerabilities, rather than selling software that exploits them? Let us know what you think in the comments.
[via Zero Day]
We’re putting a bounty on two high-priority Bus Pirate features. You can get a free PCB for the upcoming Bus Pirate V2 by writing a bit of code. Hack a Day has a varied and talented group of readers, and we know someone out there has the experience to make these changes with minimal difficulty.
- The latest code integrates the PIC24F bootloader for easy updates without a programmer. We’d like to add a protocol snooper, but that requires interrupts. With the bootloader, however, interrupts are relocated and we’ve yet to fully grasp how that works. We’ll send a PCB and PIC 24F to the first person who modifies the code to demonstrate UART, SPI, or change notification interrupts with the boot loader. Microchip’s 24F bootloader app note is available here. Complete.
- The current frequency measurement feature is a hack that uses a counter and a timer. Be the first to implement the input capture peripheral instead, and get a free PCB. See the function bpFreq(void) in base.c. Complete.
The latest Bus Pirate code and compiled firmware can be checked-out from Google Code SVN. Submit your code via the comments below or email@example.com.
UPDATE: Both issues were resolved. Thanks for your suggestions.
AndroidAndMe is running a bounty program for Android applications. Users can request a specific application and pledge money to be awarded to the developer who delivers the functional app. [Alec Holmes] just fulfilled the first request by creating Torrent Droid. You can use the app to scan media barcodes and then download the related torrent. It uses the phone’s camera to capture the product’s UPC barcode (similar to Compare Everywhere‘s price lookup) and then searches major torrent sites like The Pirate Bay to find a copy that can be downloaded. After getting the .torrent file, the app can submit it to uTorrent‘s web interface for remote downloading. The app will be released later this month and you can see a screenshot tour of it on Alec’s blog. It’s doubtful that an application like this would ever clear Apple’s App Store approval process.