Skip to main content

PayPal Acknowledges Security Flaw Could Put the User’s Credentials at Risk

PayPal has acknowledged a cross-site scripting (XSS) flaw that puts at risk the security of its users and says that it is working towards resolving the issue.

Finish researcher, Harry Sintonen discovered a flaw in the online payment gateway, PayPal, on the eBay-owned website, which could be provide unauthorised access to a user’s credentials or cookies.

What is more disturbing is that the flaw was found on a page that has an Extended Validation SSL (EV-SSL) certificate and therefore casts doubt on the claims the EV-SSL certificate offers more secure web pages.

Sintonen discovered the flaw just when PayPal was hit by a technical bug that resulted in a complete chaos for many e-commerce websites.

The Finnish researcher demonstrated how cross-site scripting could be used to ask users for their login information and then send this information to an unauthorised server.

Sintonen also showed how the flaw could be used to open a pop-up window on a webpage and steal the user cookies.

In an official statement released by PayPal, the company said that it is not aware of any phishing attacks that have been carried out by using this flaw.

The company spokesperson also maintained that the company started work on resolving this issue as soon as it was informed.

Further, as far as the EV-SSL certificate is concerned, It just validates the identity of the requesting website and does not guarantee that a page is free from security flaws.

Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website building and web hosting when DHTML and frames were en vogue and started writing about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium. Following an eight-year stint at ITProPortal.com where he discovered the joys of global tech-fests, Désiré now heads up TechRadar Pro. Previously he was a freelance technology journalist at Incisive Media, Breakthrough Publishing and Vnunet, and Business Magazine. He also launched and hosted the first Tech Radio Show on Radio Plus.