EV SSL-secured live PayPal site vulnerable to XSS

Written by DP

Wednesday, 6 October 2010

*UPDATE - 07/10/2010* - Both issues already fixed. Well done PayPal security team! :)

"d3v1l" from Security-Sh3ll has reported another critical XSS flaw affecting the live PayPal site, where "real money" changes hands... This XSS vulnerability once more undermines the security of Extended Validation SSL (EV SSL) digital certificates... On the 26th of September, he also discovered a cross-site scripting hole in the mobile version of the live PayPal site, that was corrected within one day due to prompt notification by our early warning mailing list service. XSS mirror

Also the main domain of the PayPal Sandbox site got  XSSed, just 10 days after got XSSed (now fixed) by "Nemessis".



"PayPal XSS vulnerability" - d3v1l - Security-Sh3ll - 6 Oct 2010

Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.