Multiple web vulnerabilities have been identified by Vulnerability Lab researchers on the official PayPal website. The high-severity security holes could have been exploited by a remote attacker against Pro, seller or regular customers accounts.
“A persistent input validation vulnerability is detected in the official Paypal ecommerce website content management system (Customer/Pro/Seller).The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent) of the paypal web service,” the experts explained.
“The vulnerability is located in the company profile input fields with the bound vulnerable address_id, details (mail) & companyname parameters. The bug affects the important user profile listing, the address listings & security notification (mail),” they added.
A similar vulnerability also affects the mail security notification module.
If exploited successfully, the flaws could have allowed a cybercriminal to hijack user sessions, steal accounts via persistent web attacks, and manipulate context in the affected modules.
According to the experts, the payment processor was notified of the issues back in July, but the security holes were addressed only in mid-September.
Tech savvy users can check out the detailed proof-of-concept here