PayPal XSS Bug – Again

Tuesday, May 28, 2013 @ 04:05 PM gHale


There is a cross-site scripting vulnerability in payment processing service PayPal and a 17-year old German youth, Robert Kugler, posted information to the Full Disclosure mailing list.

PayPal servers apparently fail to check strings entered in the German version of the site-wide search field with sufficient rigor. The result is it is possible to enter JavaScript in this field, which the server then sends to the browser. The browser then executes this code. Attackers can exploit such cross-site scripting (XSS) vulnerabilities to, among other things, steal access credentials.

RELATED STORIES
Websites Still Remain Vulnerable
Malware Costs Consumers $4B a Year
‘Cyber risk Intelligence’ for Total Security
Firms Don’t Budget to Protect IP

The issue can be demonstrated by entering “ in the search field.

The English language version of search on PayPal directs users to a different, apparently externally run, search engine. The XSS flaw could though still be of use in attacks on English speakers using PayPal.

The user has no way of knowing the attacker injected code, since the correct PayPal URL is in the browser address bar and checking the SSL certificate also fails to show up any irregularities.

The simple attack described by Kugler does not work with WebKit-based browsers (Safari and Chrome), which include an XSS filter. This can, however, end up bypassed. Opera, Firefox and Internet Explorer users are vulnerable to the PayPal vulnerability.

A previous XSS vulnerability at PayPal which could end up exploited using insufficiently filtered user entries occurred back in March 2012.

Then as now, the company was happy to advertise itself in Germany as a “Tested payment system” with a certificate issued by TÜV Saarland. In the last financial year, PayPal had a global turnover of $1.5 billion.

Kugler wanted to report the bug to PayPal as part of its official Bug Bounty Program, but the program only pays out to participants who are 18 or over. To vent his frustration, he decided to go public with the problem.



Leave a Reply

You must be logged in to post a comment.