PayPal Acknowledges Security Flaw Could Put the User’s Credentials at Risk
21 May, 2008, by Desire AthowTags: Personal Privacy, Phishing, Scam, Trojans, User Security, Vulnerabilities, paypal
PayPal has acknowledged a cross-site scripting (XSS) flaw that puts at risk the security of its users and says that it is working towards resolving the issue.
Finish researcher, Harry Sintonen discovered a flaw in the online payment gateway, PayPal, on the eBay-owned website, which could be provide unauthorised access to a user’s credentials or cookies.
What is more disturbing is that the flaw was found on a page that has an Extended Validation SSL (EV-SSL) certificate and therefore casts doubt on the claims the EV-SSL certificate offers more secure web pages.
Sintonen discovered the flaw just when PayPal was hit by a technical bug that resulted in a complete chaos for many e-commerce websites.
The Finnish researcher demonstrated how cross-site scripting could be used to ask users for their login information and then send this information to an unauthorised server.
Sintonen also showed how the flaw could be used to open a pop-up window on a webpage and steal the user cookies.
In an official statement released by PayPal, the company said that it is not aware of any phishing attacks that have been carried out by using this flaw.
The company spokesperson also maintained that the company started work on resolving this issue as soon as it was informed.
Further, as far as the EV-SSL certificate is concerned, It just validates the identity of the requesting website and does not guarantee that a page is free from security flaws.
Finish researcher, Harry Sintonen discovered a flaw in the online payment gateway, PayPal, on the eBay-owned website, which could be provide unauthorised access to a user’s credentials or cookies.
What is more disturbing is that the flaw was found on a page that has an Extended Validation SSL (EV-SSL) certificate and therefore casts doubt on the claims the EV-SSL certificate offers more secure web pages.
Sintonen discovered the flaw just when PayPal was hit by a technical bug that resulted in a complete chaos for many e-commerce websites.
The Finnish researcher demonstrated how cross-site scripting could be used to ask users for their login information and then send this information to an unauthorised server.
Sintonen also showed how the flaw could be used to open a pop-up window on a webpage and steal the user cookies.
The company spokesperson also maintained that the company started work on resolving this issue as soon as it was informed.
Further, as far as the EV-SSL certificate is concerned, It just validates the identity of the requesting website and does not guarantee that a page is free from security flaws.
Posted by Desire Athow on 21 May, 2008Désiré Athow is the Content Editor of ITProPortal.com and has been writing technology articles for nearly a decade. You can follow him on Twitter.
Compare over 250mobile phones &
52,000 deals!
Hot Topics
Spotify
Spotify is certainly one of the most popular online music websites in the world which is a feat for a service that was officially launched only in February 2009
