Two XSS Vulnerabilities Found on PayPal Websites

Two security researchers have independently identified cross-site scripting vulnerabilities in PayPal's mobile and sandbox websites over the weekend, which could have been exploited in phishing attacks.

The XSS weakness on the registration.sandbox.paypal.com website was discovered by a member of the Romanian Security Team (RST) outfit, who goes by the online nickname of Nemessis.

PayPal Sandbox is a replica of the real PayPal website where users can register accounts and test features using non-sensitive data.

Nevertheless, the website is hosted on the paypal.com domain and uses a valid SSL certificate issued to PayPal.

Nemessis reported the vulnerability to the XSSed Project on Friday, which published it a day later. The flaw can be exploited by tricking a user into opening a specially crafted URL.

One of the exploit scenarios involves loading a fake PayPal login form from an external domain inside an iframe on the vulnerable page.

"Not many PayPal account users know what the meaning of sandbox is, so if they see the [...] URL in a phishing e-mail, there are high chances to click on it, especially if the XSS attack vector is obfuscated," Dimitris Pagkalos, co-founder of the XSSed Project, explains.

The vulnerability was patched rather quickly, but a similar flaw was identified on mobile.paypal.com the next day by another Romanian security researcher who calls himself d3v1l.

This one is similarly dangerous, if not even more, because it is located on a mobile version of the PayPal site, which actually contains live data.

This means that in addition to loading a rogue iframe or performing a redirect to another website, the vulnerability can also be used to steal the session cookie of authenticated users.

This second bug has not yet been confirmed as fixed, but Mr. Pagkalos notes that PayPal's security team is subscribed to the project's early notification mailing list, which means they receive notifications about vulnerabilities found on their domain instantly.