Hobbyist Hackers Play a Growing Role in Payment Security

Companies like PayPal and Square reward hackers with "bug bounties" for finding and reporting vulnerabilities before they can be exploited by fraudsters, and their welcoming attitude toward the hacking community is paying off.

Emily Stark, a hacker and core developer at Meteor Development Group, recently received $750 in bounties from Square for reporting two bugs through HackerOne, a website that connects companies with bug bounty hunters. Through her efforts, Square was able to fix two vulnerabilities in its implementation of the OAuth authentication protocol.

"In the past there were a lot of 'black hat' hackers and you were opening yourself up to legal troubles if you were interested in this type of research," Stark said. "Now it's out in the open and HackerOne takes care of all the legal and tax issues; it's a really good thing for the culture of hacking."

One bug Stark found involved the OAuth access token Square uses to prove the identity of each user and what they're authorized to do. The bug allowed websites to use this code more than once, when it should expire after one use.

The other bug Stark found in Square's OAuth implementation also allowed broader access than intended. Websites register and give Square a safe URL where the authorization code can be sent. But with a specific vulnerability, attackers would have been able to trick Square into delivering the code to a URL other than the registered one.

These vulnerabilities were "in Square's live code, but I don't know if they were being exploited," said Stark. "Neither vulnerability is totally disastrous though. You're opening yourself up to attack but these wouldn't lead to [an instant compromise of] all accounts."

Square did not respond by deadline to inquiries about its bug bounty program, which formally launched last week.

In addition to the bounties Stark received from Square, she has also received $150 from WePay, an online payment service provider, for finding an OAuth vulnerability within its code. Stark recommends that companies pay attention to OAuth implementations because they can be tricky to get right.

About a year ago, Stark, who attended grad school at MIT, began working for Meteor. Earlier this year the company put its code on HackerOne. In an effort to see what it was like for testers searching for bugs, Stark started seeking out bounties on her own.  

Stark searches for vulnerabilities on HackerOne "when I have 20 minutes when I'm waiting for the bus or something" she said. "I'm interested in testing sites that people use for important things."

And people's money is especially important, particularly as the payments and retail industries reel from the high-profile data breaches at Target and other companies.

Stark is motivated to continue scouring code on HackerOne for practice and "intellectual exercise," and receiving bounties is just an added bonus. But she said there are a lot of hackers on HackerOne from developing countries that probably find the bounties vital to their livelihood.