PayPal patches stored XSS vulnerabilities discovered by bounty hunters

Stored XSS vulnerabilities exposed payments page and opened PayPal users to malicious file attacks, say researchers.

PayPal pays bug bounties for stored XSS vulnerabilities
PayPal pays bug bounties for stored XSS vulnerabilities

PayPal has patched stored XSS vulnerabilities in its secure payments page that would have enabled an attacker to compromise user accounts and transactions.

One attack targeted the payments page, https://securepayments.paypal.com/cgi-bin/acquiringweb.

To exploit the vulnerability, the attacker would begin by setting up a shopping site or hacking into an existing site. They would alter the checkout button by adding the malicious code and then wait for a user to come along to purchase something from the site.

The malicious code added to the checkout button would be a carefully crafted HTML form.

After shopping, the user would click the checkout button and be taken to https://Securepayments.Paypal.com to pay. 

PayPal payments page targeted

That page would show the purchase details which he was expecting to see but the attacker is in control of the page and has modified the submit payment button to pay the attacker whatever amount he wants.

PayPal reportedly paid out US$750 (£500) for this bug, according to the security researcher, Ebrahim Hegazy writing on vulnerability-lab.com.

Meanwhile, BitDefender has published details of another XSS vulnerability on PayPal that would have enabled an attacker to upload malicious files to attack PayPal customers.

The problem was in the way PayPal processed and encrypted URLs that pull uploaded files, according to Ionut Cernica, a Bitdefender researcher. By experimenting with the id parameter for uploaded files, it was possible to manipulate PayPal URLs and trick users into downloading malicious files or visit fraudulent websites.

This attack only works in Firefox because when the User Agent contained the word “Firefox”, the reply form did not set any content disposition parameter.

Security experts were quick to point out the benefits that PayPal had garnered from its bug bounty programme in these and other cases.

Dave Ashton at Sec-1 commented: “Nobody is infallible, if PayPal and their vast teams of experience can produce apps with these vulnerabilities then so can your everyday web developer. These everyday sites are not going to attract the same level of commercial interest in bug disclosure therefore all they can do is perform regular vulnerability assessment and penetration testing to manage their risks.”

TK Keanini, CTO at Lancope, agreed. “This is the reason why bug bounty programs work so well.  Vulnerabilities will be found in your application; the question is only how timely an you detect and remedy them,” he said.