BeforeItsNews only exists through ads. We ask all patriots who appreciate the evil we expose and want to
help us savage the NWO with more Truth to disable your ad-blocker on our site only so we can grow and expose more evil! Funding
gives us more weapons! Thank you patriots! Oh and If you disable the Ad-blocker - on your deathbed you will receive total
consciousness. So you got that going for you...which is nice!
A critical security vulnerability has been discovered in the eBay owned global e-commerce business PayPal that could allow attackers to steal your login credentials, and even your credit card details in unencrypted format.
Egypt-based researcher Ebrahim Hegazy discovered a Stored Cross Site Scripting (XSS) vulnerability in the Paypal’s Secure Payments domain.
As it sounds, the domain is used to conduct secure online payments when purchasing from any online shopping website. It enables buyers to pay with their payment cards or PayPal accounts, eliminating the need to store sensitive payment information.
However, it is possible for an attacker to set up a rogue online store or hijacked a legitimate shopping website, to trick users into handing over their personal and financial details.
How the Stored XSS Attack Works?
Hegazy explains a step by step process in his blog post, which gives a detailed explanation of the attack.
Here’s what the researcher calls the worst attack scenario:
An attacker need to set up a rogue shopping site or hijack any legitimate shopping site
Now modify the “CheckOut” button with a URL designed to exploit the XSS vulnerability
Whenever Paypal users browse the malformed shopping website, and click on “CheckOut” button to Pay with their Paypal account, they’ll be redirected to the Secure Payments page
The page actually displays a phishing page where the victims are asked to enter their payment card information to complete the purchasing
Now on clicking the Submit Payment Button, instead of paying the product price (let’s say $100), the Paypal user will pay the attacker amount of attacker’s choice
Video Demonstration
The researcher has also provided a proof-of-concept (PoC) video that shows attack in work. You can watch the video here.
Hegazy reported this serious security vulnerability to the PayPal team on June 19th, and the team confirmed the security hole, which was fixed on August 25 – just over two months later.
PayPal has also rewarded Hegazy with a bug bounty of $750 for his findings, which is the company’s maximum bug bounty payout for XSS vulnerabilities.
About the author
Senior Technical Writer at Hacker News. Social Media Lover and Gadgets Girl. Speaker, Cyber Security Expert and Technical Writer.
Subscribe for Updates
Want more Interesting News like this? Sign up here to receive the best of ‘The Hacker News’ delivered daily straight to your inbox.