The vulnerabilities, it should be said, have been fixed by PayPal. "We would like to confirm that we have fixed the web redirection, persistent input validation, and injection vulnerabilities that Vulnerability Labs originally reported," said a spokesperson. "There is no evidence at this time that any PayPal customers have been impacted by the bug. We have given bounties to the Vulnerability Lab teams in thanks for their efforts to help us keep PayPal secure for our customers."
However, there is some discussion now on how serious the bugs actually were. Concerning the cross-site scripting bugs, Craig Young, a security researcher at Tripwire, explains, "This type of vulnerability exists when the system includes user input in a web page without sanitizing the data first. The end result is that a malicious user can trick the web page into unintentionally sending new content which executes in the web browser as if it were authentic code from the web page. In the case of a persistent cross site scripting such as what was claimed by Vulnerability Lab," he added, "the attacker is able to cause new code to be sent to other visitors to the web page. In the worst case scenario, an attacker could hijack victim accounts, distribute malware or spy on victims in more subtle ways."
But he does not believe, in this instance, that the bugs were as bad as described. "In this particular case," he continued, "I believe that the researcher reporting the issue has overstated the potential impact by claiming that it could result in session hijacking."
Turning to the open redirect vulnerability, he says, "this is another common occurrence on the Internet but there is some debate among security researchers as to whether it should really be considered as a security vulnerability. This type of attack would most commonly be used in email or IM phishing attempts. The attacker would send a link which appears to be directed to the PayPal web site but when clicked they would end up on a separate web site."
Young cites Google's bounty policy: "URL redirection. We recognize that the address bar is the only reliable security indicator in modern browsers; consequently, we hold that the usability and security benefits of a small number of well-designed and closely monitored redirectors outweigh their true risks.
But it is not a unanimous view. Nicholas Lemonias, founder of Advanced Information Security, believes the mere existence of unvalidated redirects is symptomatic of deeper code problems. "Unvalidated redirects trace back to poor security development lifecycles, at the embryonic stages of a web application," he told Infosecurity. "However failure of adequate security metrics, following the development of an application, is also an indicator that there was no compliance to ISO/IEC 27001, ISO/IEC 27002, and PCI-DSS – which should be of paramount importance for VeriSign authorized providers. A web application that accepts user input without validation is far from the principles of Information Security as outlined by security guidelines."
He agrees that such a vulnerability can lead to phishing attacks, but believes is potentially more serious than Young suggests. "A phishing attack is considered a high impact attack – namely at levels 4 & 5 – which defy PCI-DSS compliance – a prerequisite of paramount importance. The sophistication of an XSS, is that it could serve as the building block for propagation to other systems of political and strategic importance – through an address book for instance. Using an XSS a user could also execute untrusted third-party heterogeneous code, and that within a user's environment."