James Delahunty
7 Dec 2014 7:57
An Egyptian security researcher has scooped the top payout for security bugs from PayPal for discovering a massive security flaw that exposed the accounts of over 150 million users.
Yasser Ali was able to get around PayPal's CSRF Prevention System and capture an authentication token that could be used to effect a customer's PayPal account. You could add, remove or confirm e-mail addresses, add fully privileged users to a business account, change security questions, billing info, shipping info, payment methods and so on.
He disclosed the bug to PayPal and received the firms top award incentive for bug hunters, pocketing $10,000 for his work.
He also detailed how he beat PayPal's security systems on his blog, and provided this proof of concept video.