Advertisements

 EV SSL-secured live PayPal site vulnerable to XSS

Written by DP

Wednesday, 6 October 2010

*UPDATE - 07/10/2010* - Both issues already fixed. Well done PayPal security team! :)

"d3v1l" from Security-Sh3ll has reported another critical XSS flaw affecting the live PayPal site, where "real money" changes hands... This XSS vulnerability once more undermines the security of Extended Validation SSL (EV SSL) digital certificates... On the 26th of September, he also discovered a cross-site scripting hole in the mobile version of the live PayPal site, that was corrected within one day due to prompt notification by our early warning mailing list service.

https://www.paypal.com XSS mirror

Also the main domain of the PayPal Sandbox site got  XSSed, just 10 days after registration.sandbox.paypal.com got XSSed (now fixed) by "Nemessis".

Screenshot:

Source:

"PayPal XSS vulnerability" - d3v1l - Security-Sh3ll - 6 Oct 2010


        
Advertisements
Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.