Hacking PayPal
Image credits: PayPal.com

A critical security vulnerability has been discovered in the eBay-owned PayPal that could allow attackers to steal login credentials and credit card details in plain text.

Stored XSS Vulnerability.

A critical stored XSS Vulnerability was found in PayPal's secure payment system by Egypt-based researcher Ebrahim Egazy. The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw. It occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping.

About the Vulnerability

The vulnerability was found at the PayPal Secure payment URL https://securepayments.paypal.com/cgi-bin/acquiringweb. Paypal SecurePayments domain is used by PayPal users to do secure payments when purchasing from any shopping site. This secure payments page require Paypal users to fill some forms that include their Credit Card number, CVV2, Expiry date and more to finalize the payment and purchase the products via their PayPal account. In normal cases, the submitted data is processed through encrypted channel(HTTPS) so attackers won’t be able to sniff/steal such data.

The researcher was able to find a stored XSS vulnerability that affects the SecurePayment page directly which allowed him to alter the page HTML and rewrite the page content. This makes it possible for an attacker to provide his own HTML forms to the user and send the users data back to attacker’s server in clear text format. This information can be used to purchase anything on behalf of users or even transfer the user's money to attackers account.

Steps to exploit Stored XSS Vulnerability

The researcher gives a detailed step by step explanation as below, in his blog. According to him the worst attacking scenario that could be conducted using this vulnerability is as below:

  • An attacker needs to set up a rogue shopping site or hijack any legitimate shopping site
  • Now modify the "Checkout" button with an URL designed to exploit the XSS vulnerability
  • Whenever Paypal users browse the malformed shopping website and click on "CheckOut" button to Pay with their Paypal account, they'll be redirected to the Secure Payments page
  • The page actually displays a phishing page where the victims are asked to enter their payment card information to complete the purchasing.
  • Now on clicking the Submit Payment Button, instead of paying the product price (let's say $100), the Paypal user will pay the attacker amount of attacker's choice.

Vulnerability Is patched now.

Egazy reported the bug to PayPal team on June 19th and it was fixed on August 25. He was also rewarded by PayPal with a bug bounty of $750 as per their bug bounty policies.


Also Read: R.I.P Adobe Flash. It's Time To Move On!

Post a Comment

  1. E r R 0 r e 404.™ ( ͡° ͜ʖ ͡°)
    im hacker and offering Folowing Services contact me if you intersted
    in any thing i do fair deals try me first
    skype : suzi.maan1
    yahoo IMI : suzimaan@yahoo.com
    Hang out : suzimaan@gmail.com
    icq :675452902
    i got Wu bug New versoion that i use to make western union transfer
    my prize is listed i will show you each and everythingabout wu bug ,
    Western Union Prize :
    1000$ in 225$
    1500$ in 250$
    2000$ in 350$
    2999$ in 450$
    well if you know about carding i m offerring folowing tools with fair prize .
    Carding Tools :
    RDP: 15$ any country
    HMA: 25$ unlimited 12 month
    Vip72: 25$ unlimited 6 month
    card validator : 50$ (for fixing un-valide card number and bin checker)
    wu Java bypass Script ,(by pass any page with your giving commands)
    Fresh fullz random world wide is here now.
    Credit cards :
    random : 20$ per one
    fullz : 30$ per one (with Dob + SSN + MMN + Driving license + )
    relesed 2015 zeus : 200$ (with fud crypted jpeg,pdf or doc file)
    relesedkey loger : 150$ (for email,pm and btc logs)
    ninja Rat : 100$ (with fud crypted jpeg,pdf or doc file)
    cidital : 150$ (with fud crypted jpeg,pdf or doc file)
    Contact me:
    skype : suzi.maan1
    yahoo IMI : suzimaan@yahoo.com
    Hang out : suzimaan@gmail.com
    icq :675452902