Blind SQL Injection Vulnerability
The payment system PayPal paid $ 3,000 for information that will eliminate the vulnerability of database PayPal. The eliminated vulnerability allowed to carry an attack against PayPal like SQL-injection.
Award recipients was the company Vulnerability Laboratory, which first reported the critically dangerous bug in PayPal in August last year, is now in the company said that the full problem with the database has been eliminated at the end of December, in turn, PayPal said the company paid for the first time reward for help in finding vulnerabilities directly associated with the site, and not to the payment platform.
Company said that underlying vulnerability allows an attacker to identify the code by eMail, and helped identify the security filters PayPal, through which it was possible to compromise the back-end servers, and important information on payment transactions. Vulnerability was present in the site itself, and the interface ecommerce-system PayPal. In some cases it is possible to obtain the privileges of the low-level applications on servers PayPal.
Further details are available at http://seclists.org/fulldisclosure/2013/Jan/199