PayPal Rewards Pakistani Student for Reporting Bugs

اسے اردو میں پڑھیے

Rafay Baloch, an independent security researcher out of Karachi, has been rewarded with USD 5,000 for reporting a remote command execution bug in PayPal’s website.

PayPal had announced this ”Bug Bounty” program for researchers, in which anyone could report a bug to win a reward from PayPal after validation.

Rafay on his blog writes that the bug he reported was very critical in nature and a huge risk to the PayPal, because an attacker could have easily managed to execute any command on the server.

Rafay claims to have been paid USD 500for an XSS vulnerability that he found on Paypal’s main domain, in addition to USD 500 for an information disclosure. Rafay claims that 20 of bugs reported by him are still being validated by PayPal.

Untitled

Speaking with ProPakistani, Rafay Baloch said that he was approached by PayPal with a job offer lately, which he is not considering to take because of his studies.

Rafay has been previously acknowledged by Microsoft, ESET and eBay for reporting bugs and flaws in their systems.

Tech reporter with over 10 years of experience, founder of ProPakistani.PK


      • Its not for our banks. This is not the way paypal works, our banks have ability to do foreign transactions for that matter, its at the paypal end which initially provided the service for pakistanis which later they had to abandon because of the increasing fraudulence.

  • Pakistani script kiddies need to learn a lesson or two from this guy.

    BTW how on earth does he has a verified Paypal account?

  • God job If it was a website of higher authorities in pakistan they wudve call fia to bust him instead of giving him a reward lol

    • You can use Paypal account of a friend, relative etc to receive payments, In my case, i have a business partner in US, who takes care of all the payments i receive from Paypal.

      • wish you the best of luck for future :)

        but how do you login PayPal in Pakistan? I meant they have some IP security. just asking this question because I heard PayPal does not like when it is logged in using different IP.

        • I don’t have a Paypal account, As i said before that, I use my business partner’s Paypal account to receive it and he later sends it to me via western union.

          • Yes I believe.. but I am still not sure…

            https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues

            check this

            In your bug submission email, please include the following:

            Your email address
            Your PayPal account (in order to receive the bounty)
            Vulnerability type (i.e., XSS, CSRF, SQLi, etc.)
            Vulnerability Scope: Domain(s), URL(s) and Parameter(s) impacted
            Steps to reproduce bug

            It is asking for “Your” PayPal account. so you submitted your email and then business partner PayPal account? different name? I think it is not possible. PayPal is not fool to accept people with different name and PayPal.

            and one thing about

            Individuals from sanctioned countries are not allowed to participate in this program.

            can you tell me what are sanctioned countries?

            It simply means that you need to use PayPal account for this program. you should need your own.

            Thanks

            • Burma (Myanmar)
              Ivory Coast
              Cuba
              Congo (Democratic Republic of Congo)
              Iran
              Iraq
              Liberia
              Libya
              North Korea
              Somalia
              Sudan
              Syria
              Zimbabwe
              Lebanon
              Yemen

              • thanks. but still you did not give me answer….

                In your bug submission email, please include the following:

                Your email address
                Your PayPal account (in order to receive the bounty)
                Vulnerability type (i.e., XSS, CSRF, SQLi, etc.)
                Vulnerability Scope: Domain(s), URL(s) and Parameter(s) impacted
                Steps to reproduce bug

                my question is that how did you register?

                In email. PayPal calling you “Rafay” .. and you’re using your business partner PayPal account. His name is also Rafay? or PayPal has no objection giving some other account? I think. it is clearly asking for “Your” PayPal account.

                Please clarify us.

                Thanks,

  • Nice job Rafay
    Keep up the good work….
    And to everyone else saying its fake because PayPal is not working in Pak, stop whining and grow up.

  • Rafay is a repository of extra ordinary technical skills that even we as programmers fail to understand. I wish him all the best with his future endeavours and wish him to keep the flag high wherever he goes. All the best young man. :)

  • Very good. but how he got PayPal account? he does not live in Pakistan or he made account using VCC? or relative/friend account?


  • >