1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Got paid for first PayPal bug bounty!

Discussion in 'BlackHat Lounge' started by ArmoredMedia, Oct 10, 2013.

  1. ArmoredMedia

    ArmoredMedia Junior Member

    Joined:
    Sep 29, 2013
    Messages:
    130
    Likes Received:
    39
    Occupation:
    http://travisingram.net/
    Location:
    Washington, U.S
    Home Page:
    Well about a few months ago I was doing PayPal limit removals for people (restricted accounts). I had solved an account with $800 in it and me getting $200 out of it.

    I received my cut out of the deal which was $200. But I told guy to just send all the money through my account. That was a stupid decision because after that, the guy when back to the owner who he purchased the account from. He started to brag to him about how I removed the limits within 30 minutes and got all the money. But the guy who came to me with the account never changed the passes or anything so the owner took it back.


    He never changed the password and took it back, opened up unauthorized charges on me and I was basically screwed over on all the money I earned.


    I still had some info on this guys account and what the information this guy who came to me had.

    I did nearly everything I could to jack the account back using numerous techniques, and finding out three exploits in PayPal's site to take it back.


    But I was too late and he already withdrawn the money.

    Anyways, that all lead up to finding these bugs in PayPal.


    I submitted all three and just got paid for one of the bugs today:

    i.imgurXcom/07nPBgE.png

    Remove x and put .


    Overall really happy that I actually got some money out of the bugs as I thought they'd never get paid for and including that I made the money I lost from removing restrictions on a customers account.

    (All of the neg was covered by the guy who came to me with the account at first).
     
    Last edited: Oct 10, 2013
  2. Thulean

    Thulean Newbie

    Joined:
    Jul 25, 2013
    Messages:
    12
    Likes Received:
    75
    What was the details of the bugs? I know the opinion of a lot of people here is that you could have possibly made a lot more money not reporting it.
     
  3. ArmoredMedia

    ArmoredMedia Junior Member

    Joined:
    Sep 29, 2013
    Messages:
    130
    Likes Received:
    39
    Occupation:
    http://travisingram.net/
    Location:
    Washington, U.S
    Home Page:

    It was an information disclosure, so I did not see very much profit in using this method to make more money. I rather not disclose the full method of the information disclosure on a users PayPal account.
     
  4. Spawnie

    Spawnie Power Member

    Joined:
    Feb 1, 2010
    Messages:
    716
    Likes Received:
    290
    Is this so hard to read/understand because I'm tired?
     
  5. ArmoredMedia

    ArmoredMedia Junior Member

    Joined:
    Sep 29, 2013
    Messages:
    130
    Likes Received:
    39
    Occupation:
    http://travisingram.net/
    Location:
    Washington, U.S
    Home Page:
    Modified, I was to excited to type correctly.
     
  6. lpe39

    lpe39 Regular Member

    Joined:
    Apr 12, 2012
    Messages:
    209
    Likes Received:
    32
    Occupation:
    Developer
    Location:
    United States
    Lucky, I submitted one two months ago.
    They fixed it a month after the report, and are apparently: having difficulties completing this on our test environment.
    Because they need to verify it was a valid report, fml it was an XSS Persistent too..
     
  7. ArmoredMedia

    ArmoredMedia Junior Member

    Joined:
    Sep 29, 2013
    Messages:
    130
    Likes Received:
    39
    Occupation:
    http://travisingram.net/
    Location:
    Washington, U.S
    Home Page:
    Gotta blank space there. How much did you get paid for yours? I still have two waiting for approval. What's weird is that the one I got paid for today I submitted last month, and the two other submissions were submitted two months ago but this one got paid/replied back to much faster.

    EDIT: Text was black. Sometimes I think PP doesn't wanna pay for some submissions sometimes.
     
  8. neu009

    neu009 Jr. VIP Jr. VIP Premium Member

    Joined:
    Jul 29, 2009
    Messages:
    1,021
    Likes Received:
    272
    Lol sounds about right. Dont give up the other day I got an email I thought was scam. Turned out it really was from paypal for an old dispute i made over 3 years ago lol. If I remember right I did a charge back already as well. So maybe you will get something in a few years as well
     
  9. lpe39

    lpe39 Regular Member

    Joined:
    Apr 12, 2012
    Messages:
    209
    Likes Received:
    32
    Occupation:
    Developer
    Location:
    United States
    It was a persistent xss that couldn't be cleared until the transaction was weeks behind, and even if they clicked the details it did it.

    I reported it August 9th.

    Personally, I hope they hurry up with their tests because it was a valid report, and they fixed it a month after august. xD
     
  10. ArmoredMedia

    ArmoredMedia Junior Member

    Joined:
    Sep 29, 2013
    Messages:
    130
    Likes Received:
    39
    Occupation:
    http://travisingram.net/
    Location:
    Washington, U.S
    Home Page:
    I don't get fully what you mean. Explain clearer?
     
  11. BlackCod

    BlackCod Regular Member

    Joined:
    Jan 31, 2012
    Messages:
    353
    Likes Received:
    161
    Occupation:
    Gangster
    Location:
    Westside Earth
    Smart, atleast you got somthing out the ordeal.
     
  12. lpe39

    lpe39 Regular Member

    Joined:
    Apr 12, 2012
    Messages:
    209
    Likes Received:
    32
    Occupation:
    Developer
    Location:
    United States
    Turns out they verified it and will send it next payment cycle!
     
  13. PrinceVisi

    PrinceVisi Elite Member

    Joined:
    Jan 11, 2012
    Messages:
    1,916
    Likes Received:
    1,008
    Occupation:
    BusinessMan
    Location:
    Tropoja

    Wonderful Job OP!

    We need people like you!
     
  14. ArmoredMedia

    ArmoredMedia Junior Member

    Joined:
    Sep 29, 2013
    Messages:
    130
    Likes Received:
    39
    Occupation:
    http://travisingram.net/
    Location:
    Washington, U.S
    Home Page:
    There is a payment cycle? Any idea when that comes around next? I wanna get my other half of that 375.
     
  15. methodman90

    methodman90 BANNED BANNED

    Joined:
    Oct 10, 2013
    Messages:
    294
    Likes Received:
    140
    I haven't really understood the point of this thread...
     
  16. lpe39

    lpe39 Regular Member

    Joined:
    Apr 12, 2012
    Messages:
    209
    Likes Received:
    32
    Occupation:
    Developer
    Location:
    United States
    It is either the end of the month, or the beginning of next month.
     
  17. G-S-T

    G-S-T Executive VIP Jr. VIP

    Joined:
    Jan 20, 2011
    Messages:
    1,836
    Likes Received:
    8,801
    Occupation:
    Full time IM
    Location:
    Heavy in the game
    [​IMG]
     
    • Thanks Thanks x 1
  18. Starcodes

    Starcodes Regular Member

    Joined:
    Mar 30, 2011
    Messages:
    251
    Likes Received:
    135
    you guys are paid snitches as fucked up paypal are i will never help them out in any forms or shapes next time leave the bugs so they get screwed because they screw people over all the time
     
  19. G-S-T

    G-S-T Executive VIP Jr. VIP

    Joined:
    Jan 20, 2011
    Messages:
    1,836
    Likes Received:
    8,801
    Occupation:
    Full time IM
    Location:
    Heavy in the game
    But really were screwing ourselves over. Regardless of how much we hate paypal, we all want the people who process our payments to be locked up tight.