Pin It

WOW! Paypal Sends Me 5000$ For A Command Execution Vulnerability



Update: 5000$ was the initial payment, Paypal payed another 5000$ which makes the total bug bounty of 10,000$ for the command execution vulnerability - 

PayPal Pays Me A Total Bounty Of 10,000 For The Command Execution Bug


Today when i logged into my Gmail account, I saw Paypal sent me 5000$  for my command execution bug i reported on one of it's subdomains, That's constituted a huge risk to the organization, since an attacker could have easily managed to execute any command on the server. Therefore the bug was extremely critical, however Paypal took more than 2 months to sort it out.
I cannot write more about the vulnerability per the terms of the bug bounty program.
Along with the command execution vulnerability, i was paid 500$ for an XSS vulnerability that i found on Paypal main domain, further more i was also paid for an information disclosure. So in total they sent me an amount of 6000$.

More than 20 of my bugs are still being validated by paypal.




Last week, i was offered by Paypal for a job as a Senior Pentester A.K.A SecurityNinja. kindly look at the screen shot below:


Subscribe to our Newsletter and receive updates directly via email - Get Ethical hacking and security tips directly to your inbox. Alternatively you can Join our Hackers Community on Facebook , Google+ and Twitter .

At RHA Infosec we provide different types of Security Testing from small business sites to Corporate Sites. Click Here to know more about our complete list of services.

Subscribe to RHA


Enjoyed this article?
Subscribe to "Rafay Hacking Articles" and get daily updates in your inbox for free!


Tags:


Kindly Bookmark it and Share it with Friends:

20 comments :

John said...

Nice
All the best:)

Zeeshan Haider on December 12, 2012 at 12:49 AM said...

Chah gaya :)

Anonymous said...

Good Job! Nice to see also others winning in the bug bounty scene. Maybe it is a wise decision to take the job.
~Benjamin Kunz Mejri @ Vulnerability-Lab

MMMTheHacker said...

Man this is so cool.Keep up the good work.And also enjoy 6000$.

Anonymous said...

Congratz man.! Ur d best among all! I idolize you man.gud job!!

Rafay Baloch on December 13, 2012 at 1:53 AM said...

@John And Zeeshan

Thanks for wishes.

@Anonymous 3

Thanks, Well i am in the middle of bachelors, i will surely think about it, when i complete it.

Rafay Baloch on December 13, 2012 at 7:19 AM said...

Thanks everyone....

Muhammad Abdullah on December 13, 2012 at 12:08 PM said...

Assalam o Alaikum:
Lots of congratulations, may Allah bless u with much more. I wish u and others having capabilities "serve PAKISTAN". This is cyber age n PAKISTAN has to face much more challenges.
May ALLAH grant us wisdom.

Mehul Mohan on December 14, 2012 at 5:22 AM said...

Lots of Best wishes bro! You are my superstar! I love your articles! You are the best hacker damn it! I wish I were just 1% intelligent in computers as compared to you!

Best Regards From Whole Team of
MyPrremiumTricks

Rynaldo on December 14, 2012 at 6:04 AM said...

Congratulations about the reward. Atleast it's good to see that Facebook, Paypal, Amazon and other companys have changed their policy on pentesters. Atleast a month ago they used to say "Sorry, this vulnerability has been discovered by someone else already and you're not eligible for the reward" to everyone and after THN published a article on that, they changed it. :)

You're definetly a really great hacker with huge knowledge package and that's what it requires to get into the Security ninjas. Too bad that you're still teaching your readers about hacking facebook accounts and cracking Cpanels, but all these tutorials have one common thing ; They're teaching how to use a tool.

Aren't you teaching real hacking to your readers because you're afraid that publishing this kind of "hardcore pentesting" tutorials will increase the amount of people who really are eager to learn real penetration testing and that will cause more high profile defaces in the future?

Anyway congratulations about the reward.
Greetings from Rynaldo. :)
chfrynaldo@hotmail.com

Rafay Baloch on December 14, 2012 at 9:22 AM said...

@Muhammad Abdullah

Thankyou very much for your compliment. Stay in touch.

Rafay Baloch on December 14, 2012 at 9:24 AM said...

@Mehul Mohan

Thankyou very much for your appreciation, i believe their are lots of people who are more smarter than me, I just give my best shot.

Rafay Baloch on December 14, 2012 at 9:37 AM said...

@Rynaldo

Thanks for your comment, I really don't fully agree with the article that THN wrote, I myself being a security researcher know lots of people, who send bulk of vulnerabilities to paypal, with so much competition, their is a huge chance that vulnerabilities can go duplicate. Moreover people use automated vulnerability scanners that are good at detecting Information disclosure, therefore vulnerabilities can go duplicate.

Regarding your second question, I do teach some advanced topics, but every thing is based upon readers, I constantly try to take feedback from readers regarding what they wanna post me. Most of them suggest Facebook hacking, I have also posted some advanced stuff, that rarely receive any comments, so therefore i need write what is requested by readers.

Regarding the use of tools, i have a different opinion regarding it, Even a pro will use tools, because they save time and make work easier. However, manual verification is required too. It doesn't matter if a hacker writes a buffer overflow and someone else uses it to compromise a system, The output is what matters the most in Pentesting world.

Anonymous said...

Congratz Rafay Baloch for this achievement!!!

Plz mail the concerned paypal personnel to allow paypal in pakistan. It will be beneficial for all internet marketers in pakistan.

Saqib Ameen on December 15, 2012 at 10:12 PM said...

Congrates dude.. Keep It Up.......!!

Rafaqat Ali on December 18, 2012 at 8:07 AM said...

Congratulations Rafay....and keeps on glowing.

hamza waleed on December 20, 2012 at 4:37 AM said...

Greataaaaa Mannnn!!!!! :P

Anonymous said...

Best of luck..good to see you on newspapers.
http://www.brecorder.com/pakistan/general-news/97795-pak-student-gets-5000-reward-from-paypal.html

Keep it up.

Rafay Baloch on December 27, 2012 at 10:18 AM said...

@anonymous 18

I'll take a look at it, b/w is it a epaper?

Anonymous said...

Keep it up and well done!

Dare to ask? :)

Blog Archive

 

Recent Comments

About

Rafay Baloch is an Independent security researcher, Internet marketer, Entrepreneur and a SEO consultant, He is the founder of RHA blog and multiple other blogs. Rafay got famous after finding a Remote Code Execution bug inside PayPal for which PayPal awarded him a sum of 10,000$ Read More..

Join In!

RHA © 2013. All Rights Reserved.