January 30, 2013 · SQL Injection PayPal

Blind SQL Injection in PayPal Notifications

On 28th December 2012 I found a Blind SQL Injection vulnerability in the Paypal Notifications (https://www.paypal-notify.com)

This bug allowed me to access the database of Paypal Notifications system. More details on Blind SQL Injection can be read here

As a part of Paypal Bug Bounty Program, I did a responsible disclosure of the bug to Paypal Security Team and the issue was addressed immediately, just the next day after my bug report due to its high severity.

I'm very thankful to Paypal Site Security Team for the reward and Shai Rod for additional help.