Paypal registration page vulnerabilities revealed

An XSS flaw is a type of computer security vulnerability typically found in web applications that allow code injection by malicious internet users into the web pages viewed by other users. Examples of this type of code include HTML code and client-side scripts.

According to Symantec, as at the start of 2008, XSS attacks carried out on web sites accounted for around 80% of all documented security vulnerabilities.

According to some reports, one of Methodman's revealed exploits centres on a Iframe type of attack.

Sites affected include the main registration.paypal.com portal, along with www.paypal-press.co.uk and www.paypal-press.fr.

The first site is used by firms to sign up for Paypal's business merchant services which potentially makes the discovery quite serious, Infosecurity notes.

Once successful, the incursion allows an attacked to gain interactive access to most, if not all, primary and secondary fields on the registration forms.

According to newswire reports, the data from these field - which can include payment card information - could then be auto-forwarded to a third-party system on the internet.

In a similar vein, a Javascript alert could also be coded, to re-route users of the page to a another web site.

The good news is that Methodman - who claims to be part of the Team Elite group of internet crackers - says that Paypal has been notified of the flaw, and action is planned.

 

What’s hot on Infosecurity Magazine?