Friday, April 24, 2015

My Experience with Ebay Bug Bounty Program



On January 2015, I have participated on Ebay bug bounty program. On that time, bug bounty programs were not as the same as now. The bug bounty programs industry today has increased by almost %100 than last year, and every week, a new bug bounty program starts on bug bounty platforms.

 I thought it will be a good idea to participate on their bug bounty program, report a single issue (the first finding), and then decide if I would like to test deeply further into their services.

After quick searches, I have found a subdomain called ebaycommercenetwork.com. I have then started testing it for common flaws.

I have noticed a Cross ­Site Scripting issue on http://ebaycommercenetwork.com/kb/[Payload]. It only filters the slash character “/”. The bypass for it was just by Hex encoding it. So “/” == %2F. Using the bypass, I have generated a pop-­up alert to indicate the existence of the XSS issue, as the following screenshot:

I guess you can imagine how much damage can be done with the above issue.

Then, I have reported the vulnerability to Ebay via their bug bounty program contact. After few clarifications from me, they have acknowledged the existence of the vulnerability and files a report regarding it. At that moment, I was glad about it, and waited for their act to fix the issue.

 On February 2015, I have contacted them to ask about the date of shipping a fix. Each time I contact them about when the fix will be shipped, they respond with non­-informative template email.

I had two options, the first option is to wait until the issue is fully fixed, and the second option was to disclose it after 45 days, which is a reasonable duration for companies to patch their application according to the ​US CERT​.

I have chosen the first option for the following reasons. This is the best option for customers to stay more secure, as public disclosure might put users in risk by using this issue via malicious users. Also, it will be better for Ebay’s reputation. Breaches, public valid vulnerabilities, and full disclosures might affects the company’s reputation. Furthermore, I wanted to know how seriously they will put in effort to patch the issue, although I fully understand it’s an easy ­to ­patch XSS issue that can be fixed with one line of code.

Each month, I check the existence of the issue without finding any changes by the company. After couple months I have contacted them multiple times again to understand the delay of shipping the patch, and they always respond with the same template email.

I didn't bother testing further for more flaws, as I knew at the moment that it won’t be fixed in a reasonable time­-frame (or perhaps, it won’t be fixed at all).

On December 2014, the issue still exists. Then I checked it on February 2015. Ebay has delivered a complete new web interface, and then I can say that the issue has been “fixed”.

I contacted them, informing Ebay Security that the issue has been patched, and asking for my place on Ebay researchers acknowledgement page. They have not responded to my email, so I send another email 2 weeks later, and nothing has been heard from them.

After checking the researcher’s page, they have not include my name in the company’s researchers acknowledgement page, although I have waited 13 months to have them patching the issue.

Final Thoughts: 

What you have read happens to many researchers. I believe I have chosen the right thing  to do with the vulnerability by reporting it right away to the company, but some companies  may have an official bug bounty program, and don’t follow the right steps in handling a private disclosure.

If you haven’t done it yet, you should read ​Bugcrowd’s blog​. It has a lot of educational contents for companies and researchers.

If you are planning to start a bug bounty program, or already have a running program, it will be better for both the company and the researcher to handle a security issue in a  better and quicker way. I might be patient when reporting vulnerabilities to bug bounty programs, but you do not know how would other’s react on a similar situation.

Ebay is a well­-reputable company, I am glad to participate in their program although what happened. I hope they plan to change their bug bounty programs steps in handling a private disclosure to the better.

Update [June 12th, 2015 ]: Ebay contacted me after publishing the article, and they acknowledged me by listing my name in the Responsible Disclosure Acknowledgement Page.
Link: http://ebay.com/securitycenter/ResearchersAcknowledgement.html