New XSS Bugs Found On ebay And Paypal
A security investigator identified with the name d3v1l, on October 6, 2010, discovered a fresh XSS flaw on Paypal.com that he revealed on both XSSed.com as well as Security-Shell. The flaw, if exploited, apparently lets an attacker inject malware into the website and potentially compromise an end-user's account. Forbes reported this on October 6, 2010.
XSS flaws, according to security researchers, are of many types. Those which cannot be removed easily are extremely dangerous and when exploited allow hackers to insert malicious software into web-pages permanently, since hackers' codes are rendered automatically devoid of the requirement of separately attacking victims. Meanwhile, to exploit reflected XSS flaws, users have to be tricked into viewing maliciously created URLs that result in repeated code insertions into each page.
The XSS bug that d3v1l discovered is a reflected bug, however, it's possible to craft extremely convincing phishing e-mails with it.
Reports d3v1l that the trouble arises due to the problematic 'sender_country' parameter within a transaction known as 'nvpsm' wherein 'nvm' means 'Name-Value Pair' and 'sm' means 'send money.' Attackers with this problem can compromise an end-user's online activities and carry out money transfers along with transmitting an authenticated PayPal URL to that end-user, although subsequently divert him onto a malevolent intermediate, malware, phishing or any other harmful website.
Now, in another instance of similar type, a user claiming the name Side3ffects found and reported an XSS flaw in eBay to the ongoing XSSed Project.
State the researchers that this vulnerability can pose far more risk compared to the PayPal bug since it lets the execution of repeated attacks. Moreover, the place of its location is the form which accountholders utilize for editing personal profile details.
Hackers who exploit this vulnerability, can generate fake profile pages displaying warnings, loading third-party websites within iframes alternatively, carrying out other illegal activities
Meanwhile, although it's possible to downplay XSS assaults, yet eBay and PayPal require dealing with these problems of illegal money transfers on their websites fast. One solution is to use a shared utility, which programs every output arising out of a deceptive resource on any of the two websites.
Related article: New Zealand Releases Code To Reduce Spam
» SPAMfighter News - 12-10-2010