original article http://www.smh.com.au/it-pro/security-it/australian-teen-uncovers-security-flaw-in-paypal-20140815-1044cx.html
Joshua Rogers says he made public a flaw in PayPal's website after they ignored him. Photo: Simon Schluter
An Australian teenager who found a security flaw in an Australian public transport authority's website has found another serious vulnerability, this time in the site of global payments provider PayPal.
The flaw, uncovered by 17-year-old Melbourne schoolboy Joshua Rogers, allowed hackers to bypass the payment provider's two-factor authentication system, which adds an extra layer of optional security via a one-time code sent via SMS to the user, or a number generator card.
With access to a victim's PayPal account using the flaw, a hacker could have purchased items online or withdrawn money sitting in the account.
Joshua told Fairfax Media via email that he published a blog post on August 4 with a link to a YouTube video demonstrating the issue after the payment company ignored his initial email about the flaw on June 5.
He said he understood that if he waited for a response and didn't disclose the flaw publicly he could have been given a cash reward for his find, but added that he didn't care about the money and wanted "to speed them up in fixing it".
PayPal said in a statement to Fairfax on Friday that the issue was "contained" and only impacted "a small number of customers".
"We are working hard to address this issue with a small amount of integrations with Adaptive Payments, which we expect to be resolved soon," a spokesman said.
The spokesman emphasised that two-factor authentication was an optional and additional security measure that only 0.27 per cent of its Australian customer base used.
They also said PayPal used other signals - like an account holder's IP address - to confirm a user's identity and to prevent fraud. And if any fraud was ever committed, the amount would be refunded, they said.
To make use of Joshua's flaw, a hacker needed to know their target's PayPal login, which is not necessarily difficult if the victim has had their credentials leaked in a data breach or stolen by malicious software.
With the login credentials the hacker could then use a web page Joshua found that created a "cookie" that fooled PayPal into thinking that the person being targeted was logged in and didn't need to use an additional code to authenticate.
This is not the first time Joshua has found holes in major websites. He's previously been awarded $US3000 by Facebook for a flaw he found in the social network's integration with Skype. The flaw allowed him to pilfer Skype email addresses.
Another vulnerability he found allowed him to steal usernames and passwords from eBay's user database. That vulnerability didn't attract an award however, as eBay doesn't pay for bugs found in its website.
Joshua also used a simple hacking technique in December to unearth a database containing an estimated 600,000 customer records from Public Transport Victoria's former Metlink online store. The database included full names, addresses, home and mobile phone numbers, email addresses, dates of birth, seniors card ID numbers, and nine-digit extracts of credit card numbers.
Joshua's finding fell on deaf ears until he approached Fairfax Media in January. Fairfax gave PTV time to secure its site before publishing.
Shortly after, PTV reported Joshua to Victoria Police because it said its database had been "illegally accessed".
Victoria Police recently confirmed to Fairfax it had executed a search warrant at the boy's family home in May and seized his computer equipment.
However Detective Inspector John Manley, from Victoria Police's e-crime squad, said the raid was in connection to "another more serious matter" as well as the PTV website hack. Joshua was cautioned in July by police about the PTV incident and the other matter remains under investigation, he said.
Joshua didn't mention the other matter in a blog post he recently wrote about the raid but claimed in an email to Fairfax that it was directly to do with the PTV matter.
"There was another, completely unrelated charge, which was brought up. But that was different from the whole PTV thing. The arrest/confiscation was to do with PTV," he said.
Detective Inspector Manley acknowledged the existence of security researchers who hacked for good, commonly called "white hats", but said that they should not be "going to the media and telling the world at large about the vulnerability, even if they had informed the site owner in the meantime".
"As an analogy, would it be acceptable for someone to walk along the street trying doors and if they found one unlocked, to walk inside and have a look around the house," he said.
Acting Victorian Privacy Commissioner David Watts said it was an offence to hack a computer system, "regardless of the colour of the hat you are wearing at the time".
"Organisations often undertake penetration testing of their own systems but this does not constitute an offence because the testing is controlled and authorised. Where members of the public inadvertently discover a security vulnerability, the expectation is that they report it to the system owner."
Security expert Ty Miller, of Threat Intelligence, said despite his intentions, at the end of the day Joshua had technically committed a cybercrime by extracting data from the government database.
But he said that the fact Joshua claimed to have only extracted certain details from the database supported the fact that he "was not intending to be malicious".
"Assuming that the investigation into the incident confirmed this to be the case, a less aggressive response from the government would have been warranted," Mr Miller said.
The PTV incident wasn't the first time Australian police have been set on researchers who have found a hole in an organisation's website.
In 2011 Patrick Webster told First State Super he found a flaw exposing the personal details of its 770,000 members. He subsequently received a knock on the door from police and a legal letter from the superannuation fund threatening legal action. The police dropped the matter after media scrutiny.