Rafay Baloch, an independent security researcher out of Karachi, has been rewarded with USD 5,000 for reporting a remote command execution bug in PayPal’s website.
PayPal had announced this ”Bug Bounty” program for researchers, in which anyone could report a bug to win a reward from PayPal after validation.
Rafay on his blog writes that the bug he reported was very critical in nature and a huge risk to the PayPal, because an attacker could have easily managed to execute any command on the server.
Rafay claims to have been paid USD 500for an XSS vulnerability that he found on Paypal’s main domain, in addition to USD 500 for an information disclosure. Rafay claims that 20 of bugs reported by him are still being validated by PayPal.
Speaking with ProPakistani, Rafay Baloch said that he was approached by PayPal with a job offer lately, which he is not considering to take because of his studies.
Rafay has been previously acknowledged by Microsoft, ESET and eBay for reporting bugs and flaws in their systems.
Follow ProPakistani on Google News & scroll through your favourite content faster!
Support independent journalism
If you want to join us in our mission to share independent, global journalism to the world, we’d love to have you on our side. If you can, please support us on a monthly basis. It takes less than a minute to set up, and you can rest assured that you’re making a big impact every single month in support of open, independent journalism. Thank you.
good to know, i wish , paypal comes as well in pakistan for establish its business
good job Rafay… May Allah Pak guide/keep you to the positive path…..
Thankyou very much for the wishes.
as per the bug bounty policy, you are not supposed to disclose this to media or public. Hmmmm….
I can, after the bug is fixed.
I recommend you not to opt out of their job offer. Either get in right now, or ask them to make you an offer after your studies.
Still, I will recommend you not to turn their offer down.
Great job
Great job
Great job
V nice …
Rafay Baloch is an Ethical Hacker. Good Job man!
good work Rafay! cheers for web security
Good Job Rafay please also let them know open Paypal for pakistan :)
It’s not up to PayPal, it’s up to our Banks..
Its not for our banks. This is not the way paypal works, our banks have ability to do foreign transactions for that matter, its at the paypal end which initially provided the service for pakistanis which later they had to abandon because of the increasing fraudulence.
gooooddhhh jobbbhhh :)
Pakistani script kiddies need to learn a lesson or two from this guy.
BTW how on earth does he has a verified Paypal account?
Relatives overseas? idk…
I have a business Partner in US, who takes care of my Paypal Payments.
I see, thanks. I asked because the account seems to be registered using your name.
You can also participate in the bug bounty program using any of your friend’s Paypal account.
Ah got it. Thanks again :)
Gud job buddy but
they emailed Rafay and account is of your business partner. I m not gettin this
Damn You Are A Legendary Lamer :P
Rafay is my friend and he told me that he is having a partner or relative in US. From him he manage to get money
Thanks for the rank and obvious info Mr. Ultimate Lamer :P
(Y)
KEEP Hating People xD
Sure :P
FAKE
Jealous People :)
prove it…kill your ego and learn to appreciate others !!!
Danyal
actually there were two or more incidents of such claims in Pakistan, such as someone named “Shaya” if I am not wrong, claimed that billgates invited him. And some others. That is why it is difficult to accept such type of news. Anyhow, if its real, than yes, the person should be appreciated.
This actually happened…
also, check official security blogs of Microsoft and eBay etc. They have acknowledged him..
so stop being a ignorant dumb
Check 6th Name
http://technet.microsoft.com/en-us/security/cc308589
Search his name on this page…
http://pages.ebay.com/securitycenter/ResearchersAcknowledgement.html
Learn to Appreciate . If you can’t do anything it don’t means no one can do :)
God job If it was a website of higher authorities in pakistan they wudve call fia to bust him instead of giving him a reward lol
Cha gaya larkay !!!!
Danyal
3g and Paypal need of us :) waiting for them
fake .they don’t pay money to Pakistani nationals
Every one with a verified Paypal account is eligible For more information read their blog.
they will, if they are in danger :)
Doing online business without 3G and PayPal is very difficult. Should we voice together for it?
I hava doubt on his achievement, since paypal is not supporting pakistan based client then how he can get paid by paypal?
You can use Paypal account of a friend, relative etc to receive payments, In my case, i have a business partner in US, who takes care of all the payments i receive from Paypal.
Please take up the job at Paypal. Please!
wish you the best of luck for future :)
but how do you login PayPal in Pakistan? I meant they have some IP security. just asking this question because I heard PayPal does not like when it is logged in using different IP.
I don’t have a Paypal account, As i said before that, I use my business partner’s Paypal account to receive it and he later sends it to me via western union.
Yes I believe.. but I am still not sure…
https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues
check this
In your bug submission email, please include the following:
Your email address
Your PayPal account (in order to receive the bounty)
Vulnerability type (i.e., XSS, CSRF, SQLi, etc.)
Vulnerability Scope: Domain(s), URL(s) and Parameter(s) impacted
Steps to reproduce bug
It is asking for “Your” PayPal account. so you submitted your email and then business partner PayPal account? different name? I think it is not possible. PayPal is not fool to accept people with different name and PayPal.
and one thing about
Individuals from sanctioned countries are not allowed to participate in this program.
can you tell me what are sanctioned countries?
It simply means that you need to use PayPal account for this program. you should need your own.
Thanks
Burma (Myanmar)
Ivory Coast
Cuba
Congo (Democratic Republic of Congo)
Iran
Iraq
Liberia
Libya
North Korea
Somalia
Sudan
Syria
Zimbabwe
Lebanon
Yemen
thanks. but still you did not give me answer….
In your bug submission email, please include the following:
Your email address
Your PayPal account (in order to receive the bounty)
Vulnerability type (i.e., XSS, CSRF, SQLi, etc.)
Vulnerability Scope: Domain(s), URL(s) and Parameter(s) impacted
Steps to reproduce bug
my question is that how did you register?
In email. PayPal calling you “Rafay” .. and you’re using your business partner PayPal account. His name is also Rafay? or PayPal has no objection giving some other account? I think. it is clearly asking for “Your” PayPal account.
Please clarify us.
Thanks,
It’s simple, Try it yourself
Send a bug to Paypal ([email protected]) and they will reply as Hi Akram,
We have received …. . …..
Later they will ask you for the verified Paypal account and Paypal does not care if it’s for any one. I hope this clears.
Ok I do it now. but please make sure @gmail.com or @paypal.com is correct.
I meant which email is correct
[email protected] or [email protected]
I am definitely going to ask about this fix to PayPal.
thanks,
Akram
sorry it’s [email protected], it was a typo.
Nice job Rafay
Keep up the good work….
And to everyone else saying its fake because PayPal is not working in Pak, stop whining and grow up.
Proud of you Rafay! :)
good work man :)
Rafay is a repository of extra ordinary technical skills that even we as programmers fail to understand. I wish him all the best with his future endeavours and wish him to keep the flag high wherever he goes. All the best young man. :)
Very good. but how he got PayPal account? he does not live in Pakistan or he made account using VCC? or relative/friend account?
you just rock dude!! Best Of Luck for future!! :)) May GOD Bless you!!
Here is the confirmation by Paypal, kindly verify it yourself:
http://tinyurl.com/d4nouqb
If i were that dude i will demand paypal service for Pakistan instead of 5K USD
how paypal pay him, it totaly fake news
Rajay any tips for wanabe security experts? is there any resource we can use to learn and improve our skills?