Cross-site scripting vulnerability fixed
vnunet.com, 20 Jun 2006
PayPal has fixed a vulnerability which allowed cyber-criminals to use the company's official website as a platform to steal user information.
The cross-site scripting vulnerability on paypal.com came to light last week. Internet monitoring firm NetCraft noted that the security flaw could be exploited by fraudsters to steal credit card numbers and other personal information belonging to PayPal users.
NetCraft said that the scam tricks users into accessing a URL hosted on the genuine PayPal website. The scammers even supplied SSL to encrypt information transmitted to and from the site, and a valid 256-bit SSL certificate.
However, the scammers managed to inject a message into the genuine PayPal site which reads: 'Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center.'
The victim is then taken to an external server, hosted in Korea, which presents a fake PayPal member log-in page.
Users are prompted to enter social security numbers, credit card details and even Pin codes for bank cards.
PayPal has now fixed the code on its site to address this flaw.
This week we round up the major vendor conference events, plus T-Mobile sells customer data
Remote access - Three steps to getting connected
3.4 million UK professionals now work from home – is your company equipped?
Cost benefits of a global collaboration network
This white paper is a must read for organisations looking for evidence of the bottom-line benefits of high-definition video and voice communications
Keep up to date with the latest products, services and technologies from the world's leading IT companies; IThound.com brings you over 6,000 white papers, case studies and analyst reports.
Biz Stone says paid-for accounts will give users access to...
EU security agency provides checklist for firms looking to vet...
Do you agree?
Have your say on this article