CyberNews blasts PayPal for 'failing to fix security flaws'
18 February 2020 08:11 GMT

Cyber security analysts at CyberNews say PayPal is failing to fix major vulnerabilities that allow hackers to quickly drain users’ bank accounts.

CyberNews said its analysts first privately alerted PayPal to six vulnerabilities in the first half of January through its bug-reporting system.  Three were fixed, but the most serious three are still unfixed – with PayPal denying that two are its responsibility to tackle.

Bernard Meyer, the Senior Researcher at CyberNews who undertook the research, says: “We are making these vulnerabilities public to warn its 305 million account holders and compel PayPal to fix them before hackers exploit these security flaws.  There is no reason why this cannot be done almost immediately given the size of their resources.

“If you read its blurb, you will think that PayPal gives a lot of money to ethical hackers that find bugs.  For instance, in 2018 PayPal announced a maximum bug bounty of $30,000 <https://portswigger.net/daily-swig/paypal-bug-bounty-increases-to-30k>  – a pretty nice sum.

“But the reality is somewhat different. For instance, when our analysts discovered six vulnerabilities in PayPal that put its millions of users’ money at risk, we were met with unresponsive staff, vague responses and often denial."