New cross-site scripting (XSS) vulnerabilities, that can be leveraged to create very credible phishing attacks, have been identified on PayPal and eBay.
The PayPal XSS weakness was discovered by a Romanian security enthusiast using the online handle of d3v1l, who disclosed it
on his blog.
Cross-site scripting vulnerabilities are the result of poor input validation into Web forms and allow attackers to generate pages containing unauthorized code.
There are several types of XSS bugs. Persistent ones are the most dangerous and can be exploited to inject code into pages permanently.
Meanwhile, reflected XSS flaws can only be exploited by tricking users into opening specially crafted URLs, which causes the injection to reoccur on every page load.
The cross-site scripting weakness found by d3v1l is of the reflected type, but it can be used to create very credible phishing emails.
It's already common knowledge that PayPal is amongst the most phished brands on the Internet and that PayPal accounts are valuable for attackers, because they can be used for financial fraud directly.
Most phishing-aware users are thought to always check the destination of links received via email before clicking on them.
Unfortunately, this XSS vulnerability allows crafting paypal.com URLs, which redirect users to phishing pages hosted on external domains.
A lot of users are likely to miss that they are on a different website, because they already made sure the clicked URL pointed to paypal.com.
The eBay XSS weakness was discovered and reported
to the XSSed Project by a user calling himself Side3ffects.
This flaw is even more dangerous than the PayPal one because it allows for persistent attacks. It is located in the form used by account owners to edit their profile information.
The bug allows attackers to create rogue profile pages, that can prompt alerts, load external sites inside iframes or perform other unauthorized actions.