 PayPal Sandbox SSL site vulnerable to cross-site scripting
Written by DPSaturday, 25 September 2010UPDATE *26 Sep 2010* - PayPal confirmed today at 13:08 that the issue has been addressed and fixed.
Security researcher " Nemessis" from Romanian teams Hackersblog and RSTcenter has discovered a critical XSS vulnerability affecting PayPal Sandbox. The PayPal Sandbox is a self-contained testing environment within which users can prototype and test PayPal features and APIs.The enviroment is a duplicate of the live PayPal site, except that no real money changes hands.
However, if the XSS falls in the wrong hands, it can be exploited to attack users using the live PayPal site. Not many PayPal account users know what the meaning of sandbox is, so if they see the following URL in a phishing e-mail, there are high chances to click on it, especially if the XSS attack vector is obfuscated.
https://registration.sandbox.paypal.com/welcomePage.do?devcuserid=64WLDYPG2BBQY&devclogin=%22%3E%3Cscript%3Ealert(%22IXSS%22)%3C/script%3E&bundleCode=C3
&country=US&partner=PayPal
Just like with the Sohu webmail XSS, attackers can steal cleartext credentials from millions of registered users by injecting an iframe tag that retrieves another fake PayPal login page from a remote server.
PayPal usually is good at correcting such security issues in a timely manner...
Screenshot
| 
