PayPal has acknowledged a cross-site scripting (XSS) flaw that puts at risk the security of its users and says that it is working towards resolving the issue.
Finish researcher, Harry Sintonen discovered a flaw in the online payment gateway, PayPal, on the eBay-owned website, which could be provide unauthorised access to a user’s credentials or cookies.
What is more disturbing is that the flaw was found on a page that has an Extended Validation SSL (EV-SSL) certificate and therefore casts doubt on the claims the EV-SSL certificate offers more secure web pages.
Sintonen discovered the flaw just when PayPal was hit by a technical bug that resulted in a complete chaos for many e-commerce websites.
The Finnish researcher demonstrated how cross-site scripting could be used to ask users for their login information and then send this information to an unauthorised server.
Sintonen also showed how the flaw could be used to open a pop-up window on a webpage and steal the user cookies.
In an official statement released by PayPal, the company said that it is not aware of any phishing attacks that have been carried out by using this flaw.
The company spokesperson also maintained that the company started work on resolving this issue as soon as it was informed.
Further, as far as the EV-SSL certificate is concerned, It just validates the identity of the requesting website and does not guarantee that a page is free from security flaws.