This allowed him to a Flash file with full read on www.paypal.com upload. Then, to take account of a user, the user must visit a Web site of the researcher. The researcher can then execute arbitrary commands with the PayPal account, such as the transfer of money and steal data.
The researcher reported the problem with us that rewards bug reports through a special program. However, eight days after he was told that another researcher had already reported the problem and, therefore, no compensation was paid. "I know that researchers sometimes find the same bugs, but I think that PayPal better to deal with this double bug reports," said the disappointed researcher.
No comments:
Post a Comment