Warning! PayPal SSL page vulnerability.
I thought when CA Security Advisor reported PayPal XSS page vulnerability in Feburary of this year, PayPal assured the writer this phishing hole was closed. See the full article: PayPal Closes a Phishing Vulnerability Published Feb 17 2008, 10:44 AM by Stefan Berteau. Was that just a lip service by PayPal?
A new article, different researcher shows the same vulnerability here in yesterday’s report:
A serious scripting error has been discovered on PayPal that could enable attackers to create convincing spoof pages that steal users’ authentication credentials.
The cross-site scripting bug is made all the more critical because it resides on a page that uses an extended validation secure sockets layer certificate. The new-fangled SSL mechanism is designed to give users a higher degree of confidence that the page they’re visiting is secure by turning their browser address bar green.
But Finnish researcher Harry Sintonen figured out a way to inject his own code into a supposedly protected PayPal page even as the green bar lulled visitors into believing it hadn’t been tampered with. Sintonen’s code simply caused an Internet Explorer alert window to open with the words “Is it safe?” as evidenced by the screenshot …..
Full Article with the screenshot of the vulnerability has been published on ChannelRegister.Co.Uk ‘Secure’ PayPal page is… you guessed it by Dan Goodin in San Francisco
16 May 2008 20:57
PayPal’s site is silent about this vulnerability… I guess the “hide your head in the sand” approach or “if you do not admit to ut, it’s not there” speaks volumes about how concerned PayPal really is about safety of their users.
PayPal is no stranger to security vulnerabilities:
- PayPal fixes phishing hole by Joris Evers, CNET News.com Published: June 16, 2006 4:12 PM PDT
- July 20, 2006 Netcraft reports this same XSS PayPal vulnerability existed for 2 years!