XSS Vulnerability at PayPal could lead to Phishing

By
May 16, 2008 | News, Thoughts from the team

A cross-site scripting vulnerability (XSS) has been found in online payment processing firm PayPal’s website. The vulnerability allows arbitrary code execution and could be used in a Phishing attack to gather data from unsuspecting users.

This is a delightfully ironic story on the back of news that Paypal is planning to block ‘unsafe’ browsers that do not implement a variety of security features to help prevent phishing. Perhaps they should try looking a little close to home first!

paypal xss vulnerability

Potential for Phishing

The vulnerability allows a malicious attacker to construct an entirely new page which will appear to be on the paypal.com domain name. This fraudulent page could mimic the PayPal login and harvest account details.

Paypal xss allows code execution

And with a little more imagination you can do funny things like putting the WikiPedia XSS page onto PayPal:

paypal xss whole

The vulnerability has been reported to PayPal, lets hope they close the hole before people fall victim to this.

More like this