PayPal XSS Exploit Available for Two Years?

["Fergie" <fergdawg () netzero net>]

Via Netcraft.

[snip]

The cross-site scripting (XSS) vulnerability, which was harnessed by
fraudsters to execute a convincing phishing attack against PayPal
users, may have been exploitable for two years previously.

Despite the prompt action taken by PayPal to address the security flaw
after it was reported by Netcraft last month, it became apparent that
the very same flaw had been discovered and documented two years
earlier. The page - cached by the Wayback Machine - describes a cross
site scripting attack that affected donation pages for suspended users,
and is the exact method exploited by the phishing attack in June 2006.

Chris Marlow tried to warn PayPal about the flaw in June 2004, but
claims the PayPal representative he spoke to did not understand what
cross-site scripting was, and - due to company policy - was unable to
provide an email address to allow a proof-of-concept exploit to be
demonstrated. Frustrated at being unable to convey the seriousness of
the issue, Mr Marlow then posted details about the exploit to his web
site but did not receive any response from PayPal.

[snip]

More:
http://news.netcraft.com/archives/2006/07/20/paypal_xss_exploit_available_for_two_years.html

- ferg


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.