Today in APIs: PayPal Flubs Response to Security Flaw

PayPal, along with other companies, responds poorly to discovery of security flaws. Duo Security offers an API for its two-factor identification service. Plus: 5 tips on how to craft APIs for developers, and will Apple make a social TV play?

Why are Companies So Bad at Responding to Security Flaw Discoveries?

Given the power of the Internet through Twitter, Youtube, Facebook, blogs and more to dent reputations instantly, you'd think companies would respond with gingered nuance and appreciation when security flaws are discovered. But that's rare. Snapchat is a good example of the flat-footed response. The company closed out 2013 claiming that a hack was only possible in theory, only to see that very hack performed to prove them wrong. Just last week it was discovered that its users were victims of third party apps that access Snapchat data resulting in thousands of nude photos being saved and made available on the Internet. As our own Patricio Robles reported, Snapchat claimed that because using unauthorized third party apps violates its terms of service, it wasn't responsible. It's a bit surprising to see a company that is in the midst of closing a very publicized funding round with none other than Yahoo take such a callous attitude toward the plight of its users. It gets worse. In a followup piece, Robles points out that users don't have to violate the terms of service to be victimized and can be caught completely unaware:

Worth keeping in mind: there is no way for users to know that they're sending snaps to other users who are using unauthorized apps and whose accounts are at risk. As a result, Snapchat users who heed the company's warnings could still fall victim to the unofficial ecosystem that has developed around Snapchat.

A dose of humility might be in order. Now comes PayPal providing another example of how not to respond. It recently had a security risk exposed by researcher Kunz Mejri. In short, PayPal's mobile API does not check to see if an account is restricted, the way it does on the web.


Paypal looks on the surface to have its act together to a far greater degree over these discoveries compared to Snapchat: it operates a "PayPal Bug Bounty Program" designed to flush out problems. Institutionalizing the expectation that there will be problems that need discovery is a great step forward. But its response to Mejri seems hardly a step forward from Snapchat's: first it claimed the breach wasn't possible (just as Snapchat did). Then it did an about face when presented with a proof of concept video. But as Eduard Kovacs reports in SecurityWeek, problems with the Paypal response don't end there:

No reward has been paid out for the vulnerability because the company says it is out of scope, but Kunz Mejri believes it should qualify for a bounty. PayPal told SecurityWeek that it is working on addressing the vulnerability.

Did we read that right? A researcher goes to the trouble of alerting a huge company, then persists when told it isn't possible, then is told, in essence "we are working to fix it," and we have a rewards program for identifying bugs... but yours doesn't qualify. An appropriate response isn't mysterious. Something along the lines of this would do:

We don't quite understand the security flaw you outline. Please tell us more and persist until we get it; this could be important. ...Okay, now we get it. Thank goodness you figured this out before someone who intended harm did. Here's a small token of our appreciation. Feel free to find more flaws; we need to be the first to know. And thanks again.

Might PayPal and Snapchat care to fix their etiquette flaw?

Update: PayPal has been in communication with the researchers and we have been told that it has made plans to pay them for this bug bounty.

Two-Factor Identification Now Available Via Duo Security's API

Duo Security is all about two-factor identification. Now it's set to unleash that power through an API to make it available across many applications. As Duo Security CEO Dug Song commented, they are out to make their product ubiquitous by simplifying the process:

We're making Duo's two-factor Authentication available to a larger audience with our API Edition. API Edition enables developers to prevent user account takeover by adding strong authentication to web and mobile applications with as few as ten lines of code.

But the company isn't just trying to make its authentication attractive by being convenient. The simple truth is that speed matters where security is concerned, and quick implementation can be critical. Starting at $3 per user per year, the gateway page to getting up and running--to installing two-factor identification in less than a day--is now available.

API News You Shouldn't Miss

Be sure to read the next Security article: Today in APIs: Facebook Doubles Bug Bounty for Advertising