RSS Alerts

Related Links

Related Stories

  • Fortify warns on Ministry of Defence XSS site flaw
    The ongoing industry security problem of cross site scripting (XSS) flaws has hit the Ministry of Defence, Fortify Software, the application vulnerability specialist, has reported.
  • Kaspersky Lab: watch out for Twitter-linked scamware
    Veteran IT security vendor Kaspersky Lab has warned internet users to be aware of rogue or scam software that purports to be an IT security application, but is merely a vehicle to extract revenue - and possibly even card details - from unsuspecting web users.
  • Zero Day of the Dead
    The data load that has accompanied the globalization of trade would make even Atlas stagger. And that’s without the added burden of counter-terrorisAs you read this, zombie programs are flitting across the internet like a pestilence to infect and drain the life from innocent computer systems. Yet, for all the aggravation and grief they cause, you may never know you are part of a global invasion of the system snatchers, says William Knight. Unless…
  • New zero-day Internet Exolorer 6/7 vulnerability allows trojan to slip through
    The steady stream of vulnerabilities discovered in Internet Explorer has continued with the revelation that a zero-day issue with IE 6.x and 7.0 allows a trojan that can steal personal and sensitive data to sneak on to a user's PC.
  • Search for security
    With more than 30 000 web pages being infected every day, search engine results could increasingly lead to malware infection. Kari Larsen asks what the search engines are doing to mitigate security threats, and how users can protect themselves.

News

Paypal registration page vulnerabilities revealed

15 May 2009

Methodman, a so-called 'grey hat' hacker specialising in discovering cross-site scripting (XSS) flaws, claims to have uncovered a number of XSS security flaws in various Paypal registration pages.

An XSS flaw is a type of computer security vulnerability typically found in web applications that allow code injection by malicious internet users into the web pages viewed by other users. Examples of this type of code include HTML code and client-side scripts.

According to Symantec, as at the start of 2008, XSS attacks carried out on web sites accounted for around 80% of all documented security vulnerabilities.

According to some reports, one of Methodman's revealed exploits centres on a Iframe type of attack.

Sites affected include the main registration.paypal.com portal, along with www.paypal-press.co.uk and www.paypal-press.fr.

The first site is used by firms to sign up for Paypal's business merchant services which potentially makes the discovery quite serious, Infosecurity notes.

Once successful, the incursion allows an attacked to gain interactive access to most, if not all, primary and secondary fields on the registration forms.

According to newswire reports, the data from these field - which can include payment card information - could then be auto-forwarded to a third-party system on the internet.

In a similar vein, a Javascript alert could also be coded, to re-route users of the page to a another web site.

The good news is that Methodman - who claims to be part of the Team Elite group of internet crackers - says that Paypal has been notified of the flaw, and action is planned.

 

 

This article is featured in:
Application Security Data Loss

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water