PayPal has been partnering with the hacker community since launching a bug bounty program in 2012 and in April 2022, they returned for their third live hacking event. As usual, PayPal showed up ready to engage the best of the best of HackerOne’s community in order to put their mobile products and apps to the test. And did they ever.
Here's what they had to say:
“We came back for our third Live Hacking Event because we know how important these events are. Not only do we build strong relationships with the most elite hackers in the world, but they also help us prioritize the most critical mobile security processes while making sure our customers, our merchants, and their data remain protected,” said Assaf Keren, Chief Information Security Officer and Vice President, Enterprise Cyber Security for PayPal.
PayPal was joined by heavy hitters from our community and a dedicated triage team who came prepared to ice some bugs.
Hackers ran through a black box engagement discovering a gallery of potential vulnerabilities. This included bugs in the realms of account takeover, authentication, transactions, and live security controls.
With proxies on and scripts ready, a group of 52 hackers from 17 different countries joined us to test their mettle. We are also happy to give a shoutout to seven hackers new to our LHE!
Let’s turn to the scoreboard and give some props to our victors:
1st Place: 82af5ddffbb795
2nd Place: alexbirsan
3rd Place: rhynorater
Cheers to the overall top contenders! A mountain of respect for the work they put in throughout this event.
Additionally, we want to note that 82af5ddffbb795 came through as a tour de force by not only grabbing the top spot, but also claiming our Exterminator bonus for the best bug of the event. Their consistency, community engagement, and critical findings gave them the well-deserved title of H1-2204’s Most Valuable Hacker!
Bonuses
There’s nothing more powerful than great minds coming together. This will filled with great collabs. Whether it’s on a team, or simply volunteering time to aid a friend - these hackers went above and beyond in their efforts to rise together. Here's a look at the bonuses for this event:
Going outside is highly overrated (Best Regional Bug): jonathanbouman
Competition brings out the best in me (Most Valid(s) in Non-focus Area): rhynorater
I just came here to escape, but I found something much bigger than myself (Most Professional Researcher):
- Muon4
- the_arch_angel
- inhibitor181
Anorak’s Almanac (Best Written Submission): corb3nik
No one is a failure who has friends (Best Collab):
- Edduu, base_64, alexbirsan
Also
- Avishai & nagli
You’re evil, you know that? (Most Creative Submission):
- rhynorater
- spaceraccoon
Things use to be awesome, but now they’re kinda terrifying (Best Auth2 & AuthN Bug): 82af5ddffbb795
The Magic Number (Most Valid Bug in All Focus Areas): alexbirsan & oag
The Golden Egg (Highest Total Impact Submissions Within Focus Areas): 82af5ddffbb795
After ten years of partnering with hackers, PayPal is a leader in cybersecurity and hacker relationship building. We were thrilled to work with PayPal once again to uncover new ways to reduce their risk and build proactive security practices. Arm in arm with the community, this collaboration reaffirmed PayPal’s commitment to continuously improving the security of their mobile experience.
We’re already looking forward LHE #4...stay tuned for an announcement on h1-3493 in just a few short weeks 🇪🇸 😎