A cross-site scripting vulnerability (XSS) has been found in online payment processing firm PayPal’s website. The vulnerability allows arbitrary code execution and could be used in a Phishing attack to gather data from unsuspecting users.
This is a delightfully ironic story on the back of news that Paypal is planning to block ‘unsafe’ browsers that do not implement a variety of security features to help prevent phishing. Perhaps they should try looking a little close to home first!
Potential for Phishing
The vulnerability allows a malicious attacker to construct an entirely new page which will appear to be on the paypal.com domain name. This fraudulent page could mimic the PayPal login and harvest account details.
And with a little more imagination you can do funny things like putting the WikiPedia XSS page onto PayPal:
The vulnerability has been reported to PayPal, lets hope they close the hole before people fall victim to this.