I was looking at my twitter and it talks about the particulars of these two companies.
Hacker One is one of the biggest agrigators of bugs around and they are to pay money to ethical people who report vulnerabilities.
In this article, Cybernews points out 6 different very serious bugs that could let an attacker take control, change the applicants name, and even bypass two-factor.
The report indicates that the people behind these bugs lost points because Paypal or Hacker One closed their cases and didn’t deem the issues seriously.
- the most severe to least severe, as well as how each vulnerability can lead to serious issues for the end user.
- #2 Phone verification without OTP
- #3 Sending money security bypass
- #4 Full name change
- #5 The self-help SmartChat stored XSS vulnerability
- #6 Security questions persistent XSS
Each of these has information on how the ethical hackers did each of the items and Paypal and Hacker One’s response.
Paypal wants these bugs, but it seems like they don’t want these bugs and or they quietly patch them without given time to the researcher(s) that have reported it.
We found 6 critical PayPal vulnerabilities – and PayPal punished us for it is the name of the article and it was written by Bernard Meyer for this web site.
This has to be bad, and both companies should be ashamed of themselves! Gives these ethical hackers and this team some credit to try and help you. Its OK to say two of these bugs were duplicates, but 4 other bugs were downgraded? I don’t understand this crap! Both companies have some explaining to do.
Discover more from Jared's Technology podcast network
Subscribe to get the latest posts sent to your email.
No one is the bad guy.
It makes sence to try and hide things and fix them, its all reputation.
Saying that, if a good hacker fixes something they should be compensated.
Look at the apple issue or one of them, I think the hacker that got that one got 13 million for fixing that I think.
It was quite large but even so.
Hiding thing is not good.
Sadly As users we see it in everything from apps to computer updates.
Every month I get sound driver updates.
Whats changed? don’t know due to changelog.
At least amd has one.
Dropbox doesn’t, chrome probably does.
Thunderbird,waterfox, and firefox do.
But some software will have 1 line changelogs ie look at this bios update.
Supports the latest windows version.
Fine.
Or security updates month and dated time.
Fixed user issues!
What updates, what issues, nothing about them.
Ie install it and it will work.
II have had it where not only did it not work but it didn’t tell me that there was a load to update after that.
This caused the system not to work till I updated everything.
Look at this corona virus.
In the beginning china hid it till they couldn’t.
Everyone tries to fix it themselves until its to big for just 1 man.
By then its probably to late.
That virus seems to be dropping off in china, but everywhere else its going up and up.
Give another 3 or so months, it may just fuck right off but for now its a problem.
It seems people hide till they really have to get help to get something to work.
It really does not make sence to do that necessarily.