A cross-site scripting (XSS) flaw on PayPal’s website could have been used by hackers to phish for your login credentials, and even steal your unencrypted card details.
But thankfully the vulnerability was found by a responsible researcher, who informed PayPal about the problem and helped the web’s most popular payment service from being embarrassed by a massive security gaffe.
Ebrahim Hegazy, an Egyptian vulnerability hunter, has made a name for himself finding security holes on websites belonging to some of the world’s biggest technology names – including Google, Yahoo, Microsoft, Twitter, Yandex, and Ebay. But earlier this year, Hegazy (who goes by the online handle of “zigoo0″) turned his attention to securepayments.paypal.com.
I don’t know about you, but when I buy goods online I quite often prefer to pay via PayPal rather than give yet-another-store my credit card details. My feeling is that PayPal is more likely to have its act together security-wise than, say, a small website I may never have need to purchase from ever again.
And that’s precisely the thought that any hacker exploiting the XSS flaw in PayPal would be banking upon.
As Hegazy explains in a blog post, a malicious actor would create a bogus online store with an option to make the purchase via a payment card or PayPal account.
When the victim clicks on the bogus store’s “Checkout” button they are taken to a URL that exploits the XSS flaw on securepayments.paypal.com, and are shown a phishing page which asks them to enter their payment information and/or login details.
In this way, the sensitive data can be hoovered up, and put straight into the hands of the hackers. And, as far as the poor purchaser was concerned, they were on the legitimate PayPal website the whole time.
Now when you (Paypal user) click on Submit Payment button, instead of paying let’s say “100$” YOU WILL PAY THE ATTACKER WHATEVER AMOUNT THE ATTACKER’S DECIDE!!
Hegazy made a YouTube video demonstrating how the flaw could be exploited, and showing just how easy it was to grab sensitive details such as unencrypted credit card details.
Hegazy informed PayPal of the serious security flaw on June 19th, and it was confirmed to be fixed yesterday – just over two months later.
SecurityWeek reports that Hegazy received a bug bounty of $750 for his discovery, which is the maximum that the firm pays out for cross-site scripting vulnerabilities.
But no-one should be fooled into thinking that someone more maliciously-minded wouldn’t have been able to earn a much larger amount of money by keeping the flaw to themselves, or selling it on to other criminals.
The truth is that XSS flaws continue to riddle many websites around the globe, making the problem a perennial feature of OWASP’s top 10 vulnerabilities hall of shame.
Scores of new XSS flaws are found every week, affecting websites big and small – all because not enough care has been taken by web developers to write their code securely.
Heck, even the National Vulnerability Database, the US institution responsible for providing information about security flaws, was found to be suffering from its own cross-site scripting vulnerability earlier this year.
This article originally appeared on the Heat Software blog.
