PayPal Rewards Pakistani Student for Reporting Bugs

اسے اردو میں پڑھیے

Rafay Baloch, an independent security researcher out of Karachi, has been rewarded with USD 5,000 for reporting a remote command execution bug in PayPal’s website.

PayPal had announced this ”Bug Bounty” program for researchers, in which anyone could report a bug to win a reward from PayPal after validation.

Rafay on his blog writes that the bug he reported was very critical in nature and a huge risk to the PayPal, because an attacker could have easily managed to execute any command on the server.

Rafay claims to have been paid USD 500for an XSS vulnerability that he found on Paypal’s main domain, in addition to USD 500 for an information disclosure. Rafay claims that 20 of bugs reported by him are still being validated by PayPal.

Untitled

Speaking with ProPakistani, Rafay Baloch said that he was approached by PayPal with a job offer lately, which he is not considering to take because of his studies.

Rafay has been previously acknowledged by Microsoft, ESET and eBay for reporting bugs and flaws in their systems.

Tech reporter with over 10 years of experience, founder of ProPakistani.PK


  • good to know, i wish , paypal comes as well in pakistan for establish its business

  • Burhan Saeed

    good job Rafay… May Allah Pak guide/keep you to the positive path…..

    • Rafay Baloch

      Thankyou very much for the wishes.

      • Zee

        as per the bug bounty policy, you are not supposed to disclose this to media or public. Hmmmm….

        • Rafay Baloch

          I can, after the bug is fixed.

      • I recommend you not to opt out of their job offer. Either get in right now, or ask them to make you an offer after your studies.
        Still, I will recommend you not to turn their offer down.

      • Sadia Komal

        Great job

      • Sadia Komal

        Great job

      • Sadia Komal

        Great job

  • Saad

    V nice …

  • Rafay Baloch is an Ethical Hacker. Good Job man!

  • Nauman

    good work Rafay! cheers for web security

  • DJ

    Good Job Rafay please also let them know open Paypal for pakistan :)

    • Asad Shamsi

      It’s not up to PayPal, it’s up to our Banks..

      • Waqar Hassan

        Its not for our banks. This is not the way paypal works, our banks have ability to do foreign transactions for that matter, its at the paypal end which initially provided the service for pakistanis which later they had to abandon because of the increasing fraudulence.

  • Muhammad Khalid

    gooooddhhh jobbbhhh :)

  • Salman Abbas

    Pakistani script kiddies need to learn a lesson or two from this guy.

    BTW how on earth does he has a verified Paypal account?

    • koolwalky

      Relatives overseas? idk…

    • Rafay Baloch

      I have a business Partner in US, who takes care of my Paypal Payments.

      • Salman Abbas

        I see, thanks. I asked because the account seems to be registered using your name.

        • Rafay Baloch

          You can also participate in the bug bounty program using any of your friend’s Paypal account.

          • Salman Abbas

            Ah got it. Thanks again :)

      • Nouman Khan

        Gud job buddy but
        they emailed Rafay and account is of your business partner. I m not gettin this

    • Damn You Are A Legendary Lamer :P

      Rafay is my friend and he told me that he is having a partner or relative in US. From him he manage to get money

      • Salman Abbas

        Thanks for the rank and obvious info Mr. Ultimate Lamer :P

        • (Y)
          KEEP Hating People xD

          • Salman Abbas

            Sure :P

  • Aitezaz

    FAKE

    • Jealous People :)

    • Danyal

      prove it…kill your ego and learn to appreciate others !!!
      Danyal

      • Naeem

        actually there were two or more incidents of such claims in Pakistan, such as someone named “Shaya” if I am not wrong, claimed that billgates invited him. And some others. That is why it is difficult to accept such type of news. Anyhow, if its real, than yes, the person should be appreciated.

    • This actually happened…

      also, check official security blogs of Microsoft and eBay etc. They have acknowledged him..

      so stop being a ignorant dumb

    • Learn to Appreciate . If you can’t do anything it don’t means no one can do :)

  • frost

    God job If it was a website of higher authorities in pakistan they wudve call fia to bust him instead of giving him a reward lol

  • Danyal

    Cha gaya larkay !!!!

    Danyal

  • Gulab Shah

    3g and Paypal need of us :) waiting for them

  • Salman Ahmed

    fake .they don’t pay money to Pakistani nationals

    • Rafay Baloch

      Every one with a verified Paypal account is eligible For more information read their blog.

    • Sadia Komal

      they will, if they are in danger :)

  • Ayaz Ahmed

    Doing online business without 3G and PayPal is very difficult. Should we voice together for it?

  • I hava doubt on his achievement, since paypal is not supporting pakistan based client then how he can get paid by paypal?

    • Rafay Baloch

      You can use Paypal account of a friend, relative etc to receive payments, In my case, i have a business partner in US, who takes care of all the payments i receive from Paypal.

      • Zee

        Please take up the job at Paypal. Please!

      • Akram

        wish you the best of luck for future :)

        but how do you login PayPal in Pakistan? I meant they have some IP security. just asking this question because I heard PayPal does not like when it is logged in using different IP.

        • Rafay Baloch

          I don’t have a Paypal account, As i said before that, I use my business partner’s Paypal account to receive it and he later sends it to me via western union.

          • Akram

            Yes I believe.. but I am still not sure…

            https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues

            check this

            In your bug submission email, please include the following:

            Your email address
            Your PayPal account (in order to receive the bounty)
            Vulnerability type (i.e., XSS, CSRF, SQLi, etc.)
            Vulnerability Scope: Domain(s), URL(s) and Parameter(s) impacted
            Steps to reproduce bug

            It is asking for “Your” PayPal account. so you submitted your email and then business partner PayPal account? different name? I think it is not possible. PayPal is not fool to accept people with different name and PayPal.

            and one thing about

            Individuals from sanctioned countries are not allowed to participate in this program.

            can you tell me what are sanctioned countries?

            It simply means that you need to use PayPal account for this program. you should need your own.

            Thanks

            • Rafay Baloch

              Burma (Myanmar)
              Ivory Coast
              Cuba
              Congo (Democratic Republic of Congo)
              Iran
              Iraq
              Liberia
              Libya
              North Korea
              Somalia
              Sudan
              Syria
              Zimbabwe
              Lebanon
              Yemen

              • Akram

                thanks. but still you did not give me answer….

                In your bug submission email, please include the following:

                Your email address
                Your PayPal account (in order to receive the bounty)
                Vulnerability type (i.e., XSS, CSRF, SQLi, etc.)
                Vulnerability Scope: Domain(s), URL(s) and Parameter(s) impacted
                Steps to reproduce bug

                my question is that how did you register?

                In email. PayPal calling you “Rafay” .. and you’re using your business partner PayPal account. His name is also Rafay? or PayPal has no objection giving some other account? I think. it is clearly asking for “Your” PayPal account.

                Please clarify us.

                Thanks,

                • Rafay Baloch

                  It’s simple, Try it yourself

                  Send a bug to Paypal ([email protected]) and they will reply as Hi Akram,

                  We have received …. . …..

                  Later they will ask you for the verified Paypal account and Paypal does not care if it’s for any one. I hope this clears.

                  • Akram

                    Ok I do it now. but please make sure @gmail.com or @paypal.com is correct.

                    I meant which email is correct

                    [email protected] or [email protected]

                    I am definitely going to ask about this fix to PayPal.

                    thanks,

                    Akram

  • Usman

    Nice job Rafay
    Keep up the good work….
    And to everyone else saying its fake because PayPal is not working in Pak, stop whining and grow up.

  • Proud of you Rafay! :)

  • good work man :)

  • Rafay is a repository of extra ordinary technical skills that even we as programmers fail to understand. I wish him all the best with his future endeavours and wish him to keep the flag high wherever he goes. All the best young man. :)

  • Akram

    Very good. but how he got PayPal account? he does not live in Pakistan or he made account using VCC? or relative/friend account?

  • Saqib Ameen

    you just rock dude!! Best Of Luck for future!! :)) May GOD Bless you!!

  • Rafay Baloch

    Here is the confirmation by Paypal, kindly verify it yourself:
    http://tinyurl.com/d4nouqb

  • If i were that dude i will demand paypal service for Pakistan instead of 5K USD

  • how paypal pay him, it totaly fake news

  • Faraz

    Rajay any tips for wanabe security experts? is there any resource we can use to learn and improve our skills?