PayPal mobile SSL site XSSed

*UPDATED 29/09/2010* - PayPal security team has confirmed on 28/09/2010  that the issue has been addressed and fixed.

-

Two days after the report of the PayPal Sandbox XSS which was finally corrected within a very short time, "d3v1l" from Security-Sh3ll has notified us about a new XSS affecting the PayPal mobile SSL site. The "sender_country" parameter does not properly sanitize input, thus allowing for XSS attacks and potentially malicious redirects to take place, i.e. "><meta http-equiv="Refresh" content="0;url=http://www.malicious.link/">

 

PayPal mobile was also XSSed back in 2007 by "Fugitif" and it was corrected within one day. Their security team is really good at quickly correcting such issues.

 

It is important to mention that PayPal's Site Security Team has subscribed to the early warning mailing list and receive instant alerts whenever a cross-site scripting vulnerability affecting their online properties enters the archive.