What is wrong with PayPal lately? I am a bit surprised that PayPal was until yesterday vulnerable to that XSS vuln which was submitted by 142TeeTH on the 22th of June... Until early today, no prompt action was taken whatsoever by PayPal. Discovering security vulnerabilities in the largest online payment processor was never too easy - even underestimated ones like XSS. When an actual flaw is discovered, then PayPal is evidently known to delay its fixation for various reasons such as their misunderstanding of what cross-site scripting is. Being one of the biggest internet-based enterprises, surely has got the money and thus the power to tightly secure its infrastructure and assure that its customers' privacy is never at risk.
I am not a big fan of PayPal, but do not hate it either. It is known to be the secure and convenient way of paying online for goods and services. However, its million users make it the fraudsters' favorite online phishing scam. Of course we are not going to demonstrate what you can achieve by exploiting this XSS (this is against PayPal's company policy, and highly unethical as could possibly affect negatively their customers and systems). The possible risks that come from successful exploitation of this XSS, are obvious and of different severities.
A few days ago I received the following rather funny e-mail from eNom:
--
from abuse <abuse[4t]enom.com>
to *.protect[4t]whoisguard.com
date 05-Jul-2007 17:02
subject FW: Phishing domain registered by enom
Your domain name is redirecting to a confirmed phishing website (see URL
below). In order to prevent the possible disabling of your domain name,
please take the necessary steps in order have the abusive content
disbanded. Failure to comply with this request could result in the
placing of a registrar-hold on your domain name, which will block DNS
resolution to this domain. Thank you for your cooperation in this
matter.
From: Netcraft Phishing Service [mailto:toolbar[4t]netcraft.com]
Sent: Wednesday, July 04, 2007
To: Brad Ba****; NOC; abuse
Cc: phish-isp-alert[4t]netcraft.com
Subject: Phishing domain registered by enom
The URL below has been confirmed by Netcraft as a phishing
site:
http://vuln.xssed.net/2007/06/22/www.paypal.com/
We are reporting it to you because there are indications that
the domain in the url is registered by you. Details:
matching nameserver "dns1.name-services.com"
--
Fortunately I was not "phished" to believe that the PayPal XSS mirror was a phishing site - despite the fact that this e-mail was sent from "Netcraft Phishing Service" and not "Netcraft Anti-Phishing Service"... :-P
Yesterday I e-mailed back eNom and Netcraft with this subject: "We have been mistakenly listed as phishing website."
PayPal was most likely notified about the issue by Netcraft right away. So the PayPal XSS is not working anymore, and neither of them thanked us for bringing the issues to their attention.
We believe they did not thank us because of the following reason:
If you liked what you just listened to, buy the artists' album/s from Amazon.
--
Update: Monday, 9 July 2007
Netcraft determined that the mirrors are not blocked. Thank you Netcraft! ;-)
--
Lastly, we would like to thank the anonymous individual who unwittingly started it all off, because without him, the privacy of the multi-million PayPal users would still be exposed to a stupid XSS.