Blind SQL Injection in PayPal Notifications

Prakhar Prasad

Tue, 29 Jan 2013

On 28th December 2012, I found a Blind SQL Injection vulnerability in the Paypal Notifications (https://www.paypal-notify.com)

This bug allowed me to access the database of Paypal Notifications system. As a part of Paypal Bug Bounty Program, I did a responsible disclosure of the bug to Paypal Security Team and the issue was addressed immediately, just the next day after my bug report due to its high severity.

AA

I’m very thankful to Paypal Site Security Team for the reward and Shai Rod for additional help.