HackDig : Dig high-quality web security articles for hacker

PayPal XSS Flaw Opens Door to Attacks

2015-09-03 23:00

A stored XSS vulnerability in PayPal has been uncovered that leaves the e-payment service open for hackers to upload maliciously crafted files, capable of performing attacks on registered users of the service.

Researchers from Bitdefender have found that the vulnerability can be used to deliver harmful files or content that enable a wide range of attacks.

The issue lies in the way PayPal processes and encrypts URLs that transport uploaded files. Bitdefender’s proof-of-concept uses an HTML-formatted XML file, which is transferred to the “Create an Invoice” section. By tampering with the URL that pulls upload files from PayPal’s servers, Bitdefender was able to force the execution of a malicious payload on PayPal’s server. Attackers could then trick users into installing malware or other types of threats.

“The huge reach that cyber-attackers had access to through this vulnerability was a worrying development for a service that prides itself on security,” said Catalin Cosoi, chief security strategist at Bitdefender. “Bitdefender is pleased to have located the flaw and shared it with PayPal, safeguarding the future transactions of its users.”

The stored XSS attack fortunately only works in Firefox and, although it has not been reported in the wild, it could allow hackers to manipulate PayPal. Users are urged to apply PayPal’s fix as quickly as possible.

PayPal’s no stranger to vulnerabilities: last December, a flaw was uncovered that would have enabled a hacker to completely bypass the authentication system. The flaw put 150 million PayPal customers in danger, because the cross-site request forgery (CSRF) Prevention System implemented by PayPal had a critical flaw. The token was reusable for a specific user email address or username, meaning that a hacker could intercept and take possession of the tokens, and then simply reuse them to access the account of the correlated, logged-in user.


Source: /ot-rood-snepo-walf-ssx-lapyap/swen/moc.enizagam-ytirucesofni.www

Read:2266 | Comments:0 | Tags: Xss

“PayPal XSS Flaw Opens Door to Attacks”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud

Keywords