Daily cyber threats and internet security news: network security, online safety and latest security alerts
May 16th, 2008

Cross-Site Scripting Vulnerability On Paypal Could Be Used In Phishing Attacks

A cross-site scripting vulnerability (XSS) has been found in PayPal, an online payment processing firm website. The vulnerability allows arbitrary code execution and could be used in a phishing attack to gather data from unsuspecting users.

The vulnerability allows a malicious attacker to construct a new page which will appear to be on the domain name. This fraudulent page could imitate the PayPal login page and harvest account details. Attackers could carry out highly believable attacks by adding their own content to the site and misleading unsuspecting users.

According to Netcraft, the vulnerability is made worse by the fact that the affected page uses an Extended Validation SSL certificate, which causes the browser’s address bar to turn green, assuring visitors that the site belongs to PayPal. Two years ago, a similar vulnerability was discovered on a different page of the PayPal site, which also used an SSL certificate.

This vulnerability is discovered a month after PayPal published a new approach to managing phishing. Browsers that do not support EV certificates to be considered as unsafe and customers who access their website using unsafe browsers will be blocked.

The vulnerability has been reported to PayPal.

Share this item with others:

More on CyberInsecure:
  • New Cross-Site Scripting Vulnerability Found On Facebook
  • Another Cross-Site Scripting Vulnerability On eBay Domain Sites Allows Phishing
  • Cross-site Scripting Vulnerability Found In MI5 Website By A Hacker
  • Hacked Obama Site Redirects Visitors to Clinton’s Site
  • Mac users are advised not to use Safari by Consumer Reports

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Cross-Site Scripting Vulnerability On Paypal Could Be Used In Phishing Attacks

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.