A stored XSS vulnerability in PayPal has been uncovered that leaves the e-payment service open for hackers to upload maliciously crafted files, capable of performing attacks on registered users of the service.
Researchers from Bitdefender have found that the vulnerability can be used to deliver harmful files or content that enable a wide range of attacks.
The issue lies in the way PayPal processes and encrypts URLs that transport uploaded files. Bitdefender’s proof-of-concept uses an HTML-formatted XML file, which is transferred to the “Create an Invoice” section. By tampering with the URL that pulls upload files from PayPal’s servers, Bitdefender was able to force the execution of a malicious payload on PayPal’s server. Attackers could then trick users into installing malware or other types of threats.
“The huge reach that cyber-attackers had access to through this vulnerability was a worrying development for a service that prides itself on security,” said Catalin Cosoi, chief security strategist at Bitdefender. “Bitdefender is pleased to have located the flaw and shared it with PayPal, safeguarding the future transactions of its users.”
The stored XSS attack fortunately only works in Firefox and, although it has not been reported in the wild, it could allow hackers to manipulate PayPal. PayPal has deployed a fix to users.
"PayPal takes the security of our customers’ data, money and account information extremely seriously and worked quickly to resolve an issue related to a Cross-Site Scripting (XSS) flaw and promptly fixed it on July 10, 2015," the company said in a media statement. "We have no evidence to suggest that any PayPal accounts were impacted in any way."
PayPal’s no stranger to vulnerabilities: last December, a flaw was uncovered that would have enabled a hacker to completely bypass the authentication system. The flaw put 150 million PayPal customers in danger, because the cross-site request forgery (CSRF) Prevention System implemented by PayPal had a critical flaw. The token was reusable for a specific user email address or username, meaning that a hacker could intercept and take possession of the tokens, and then simply reuse them to access the account of the correlated, logged-in user.