Dangerous cross-site scripting vulnerabilities have been discovered in several PayPal websites, potentially facilitating phishing and other attacks. One of the proof-of-concept attacks demonstrates how an arbitrary IFrame can be injected into the PayPal merchant account registration form, over SSL.

The vulnerabilities were reported by Methodman, a grey-hat hacker specializing in finding XSS flaws, who is a member of Team Elite, a group of programmers and security enthusiasts. The flaws affected or continue to affect the registration.paypal.com, www.paypal-press.co.uk and www.paypal-press.fr websites.

The registration.paypal.com site is used by companies to sign-up for a business merchant account. The XSS weakness was located in the registration page for accounts using the Payflow Pro payment solution. "Here's a list of what you'll need to sign up for PayPal's Payflow Services: General business information; Primary business contact information; Credit Card and Billing Contact Information; Merchant Bank and Processor Information," the page reads.

As depicted in the screenshots provided by Methodman, a rogue IFrame can be injected into the registration form. This allows an attacker to extend it with rogue fields asking for the credit card information, which can then be forwarded to a third-party server. Additionally, arbitrary JavaScript alerts can be displayed on the vulnerable page and redirecting visitors to another website is also possible.

The ability to force such unauthorized behavior can significantly assist cyber-crooks in instrumenting complex phishing schemes. However, these problems are not limited to this PayPal registration page. As Methodman reveals, PayPal's websites for its media centers in the UK and France are vulnerable to similar attacks. More specifically, both of them are vulnerable to IFrame injections, as well as rogue JavaScript prompts and redirects.

Cross-site scripting weaknesses are the result of the failure to properly escape input sent through forms and are the most widespread vulnerabilities on the Web today. Security researchers claim that tens of thousands of pages are being compromised and abused through XSS every single day, even if for short periods of time.

Methodman announced that the "Paypal Staff has been alerted about this." At the time of writing this article, the more potentially dangerous flaw on registration.paypal.com seemed to have been addressed, but the ones on paypal-press.co.uk and paypal-press.fr were still active.