back to article 'Secure' PayPal page is... you guessed it

A serious scripting error has been discovered on PayPal that could enable attackers to create convincing spoof pages that steal users' authentication credentials.. The cross-site scripting bug is made all the more critical because it resides on a page that uses an extended validation secure sockets layer certificate. The new- …

COMMENTS

This topic is closed for new posts.
  1. Herby
    Coat

    Some of the phishing would stop if...

    PayPal, EBay, and others (banks) wouldn't send HTML email AND SAY SO.

    Sure people might need to cut/paste URL's into the location area on the browser (you mean you don't have linkification?) but that would be a small price to pay.

    EVERY attempt at gathering credentials of some sort involves HTML email. With it one is able to disguise the real destination of the link through many means (too numerous to mention!). Without this they would be MUCH less likely to tap the various vulnerabilities.

    So they wouldn't be able to put up nice banners. Big deal! Much safer!

    Off the soapbox, out the door.

  2. Dean
    Thumb Up

    Agree!!

    ^^^^ Agree. Thats a very good point!!

  3. anarchic-teapot
    Boffin

    @Herby

    Considering that phishers are quite capable of producing HTML email that looks like plain text (it's not difficult), I don't quite see where the "much safer" comes from.

    <mode="jaded_sysadmin">

    "Much safer" would include not having email clients that display HTML. Many thanks to Microsoft, who started the whole HTML-email crap, and persisted despite numerous warnings of security risks.

  4. Anonymous Coward
    Anonymous Coward

    Hacker Safe

    I've hated this company for a while there is no way they could be legit with as many sites as they have signed up yet the stupid public will think if you don't pay for it that you aren't safe. Just another security scam.

  5. Gordon Fecyk
    Stop

    McAfee opens mouth, inserts foot. Again. So does anarchic-teapot.

    "Despite the proliferation of XSS attacks, McAfee's ScanAlert, which provides daily audits of ecommerce websites to certify them "Hacker Safe" gives clients the thumbs up even when XSS vulnerabilities are discovered on their pages."

    John McAfee continues his tradition of after-the-fact security for at least twelve years. You have him to thank for convincing the media, and therefore the public, to use reactive anti-virus technology.

    "Many thanks to Microsoft, who started the whole HTML-email crap, and persisted despite numerous warnings of security risks."

    Mister Teapot, in the process of calling the kettle black, you forgot that you have Netscape Communications to blame for this one.

    http://en.wikipedia.org/wiki/Browser_timeline

    Netscape 3, complete with "Rich Text" e-mail as they called it, came out in 1996. Compare with IE3's release in January 2007. Further, Outlook didn't support HTML e-mail until Outlook 98, and Outlook Express / Internet Mail and News didn't support it until IE4 came out. You have Netscape Communications to blame for HTML e-mail, not Microsoft. You also have Netscape to blame for (shudder) Javascript.

    I'd have taken the older scourge of winmail.dat attachments over HTML e-mail, brought to you by Netscape.

  6. Jach

    NoScript

    NoScript for Firefox is great. It even warns me of XSS attempts.

  7. Karl Rasmusson

    PayPal mandatory soon with eBay auctions

    And the eBay clowns are shortly going to force eBay Australia sellers and buyers to use PayPal only, because it's safer, more secure, (and the main reason that eBay never mentions, the additional PayPal fees will make more $ for eBay when the buyer pays).

  8. Alan W. Rateliff, II
    Paris Hilton

    Fellow Amigoid!

    Harry is an active member of the Amiga community. It is pretty neat to see an accomplishment like this come from our neighborhood.

    Paris, because she is pretty neat, too.

  9. Webster Phreaky
    Jobs Horns

    PayPal and eBay sucks

    You'd think that Apple owns the two of them considering the BUGGINESS and Greediness of the two companies are so alike.

  10. Franz Gruber

    Please Disappear

    Paypal could vanish entirely, and my life would only become better. Ebay, I find, generally gets things right, but they haven't clued in little brother. The security I want is from vendors who only will accept Paypal.

  11. Anonymous Coward
    Stop

    We teach our kids to cross the roads carefully

    isn't it time we took the same attitude to the Internet? You can lay down as many laws as you want and patch the holes as they are found but the Internet is always going to be a dangerous place. Teaching people to "Stop, look, listen" when on line wont make the web safer but it will reduce the number of people blindly walking into the obvious scams.

  12. Anonymous Coward
    Alert

    Behind the green bar

    You pay more and have to jump through more hoops to get a digital certificate that triggers the green bar in the newer browsers. Well, you had to pay more and jump through more hoops to get a 'commercial' certificate in the 'old days' (TM). Obviously the vetting of the certificate providers was not good enough... so now you pay more to them again and jump through higher hoops again just because the providers didn't do a good job way back when. And they can get away with it!

  13. Ian Ferguson
    Unhappy

    "Unauthorized withdrawals or purchases made on PayPal accounts are fully reimbursed"

    Careful now... you won't be reimbursed if somebody pays you with stolen credit card details - the card victim's bank will claim the money back with a chargeback, leaving you out of pocket; and you can't expect any sympathy (or in my experience, even a reply) from Paypal.

    Don't use Paypal for anything other than small transactions that you don't mind losing out on.

  14. Benny
    Gates Halo

    @Phreaky

    ....Not even a mention of Apple, Billy must be proud of you

  15. Andrew Barratt
    Unhappy

    Not an EV issue at all

    Once again EV gets bashed and without really understanding the concept behind it.

    EV doesn't make anything "more secure", it sets a level playing field for the validation that is done to certify the business is a legitimate entity to trade with. SSL is more than just about encryption.

    There is no "loop hole" in SSL, its just nobody ever checks the relying party agreements or Certificate policy statements so they can actually see what has been done to validate the entity before trusting a site. With EV at least its a standard approach which should be less confusing for the end user in the future.

    Get your facts right before shamelessly bashing a technology that could actually bring down the cost of SSL, and provide higher levels of trust in the future.

  16. anarchic-teapot

    @Gordon Fecyk

    Oh I'll include Netscape as well if you like. Hate all of them. But it was Microsoft that really inflicted HTML email on the world with Outlook Express . You could choose not to install Netscape, and considering what a bloated lump it had become by then, most did. However, for those of us forced to use Windows, there was no choice as to installing Outlook Express.

    Amiga users (there were still vast numbers of us in those days) had YAM. God, I miss YAM.

  17. Colin Wilson
    Coat

    re: HTML email

    Exactly the point i've been making for years - one notable example of banks practising piss-poor security was an email from, IIRC, MBNA - sent via an unknown third party, and linking to their login page via yet another unknown third party.

    I sent this little beauty direct to the banking ombudsman about 3 years ago pointing out how ridiculously stupid the bank had to be to operate in this manner, despite complaining about losses through fraud.

    The response - "it's common industry practice"

    So is fraud, but it doesn't mean it's right...

  18. Anonymous Coward
    Anonymous Coward

    @Gordon Fecyk

    you quoted wikipedia, how naughty

    mines the one with sciam and phrack in the pocket

  19. Matt Thornton

    @Gordon

    Erm, you quite sure you've got your timeline quote correct?

    I'm sure you don't think IE3 was actually released in 2007, but I'm a little confused how 1996 is typo'd into 2007.

    According to the Wiki, IE3 was released August 13, 1996 with "Internet Mail" whereas "Nutscrape" 3.0 was August 19, 2006. (http://en.wikipedia.org/wiki/Netscape_Navigator#Release_history) Oops.

    It's too painful a time for me to go back and remember to really investigate which of these technological revelations introduced such problems, but seems like you should check your facts before jumping on the soapbox.

  20. Bad Beaver
    Happy

    Ah, it's the weekend...

    ...they've let Webster out of the cage *g*

    I like this whole "turn green" idea. I mean, if that happened on Camino or Safari while using PayPal I would feel... very confident about something being fishy.

  21. Rob Haswell
    Alert

    Let the problem solve itself

    @oliver

    "Teaching people to "Stop, look, listen" when on line wont make the web safer but it will reduce the number of people blindly walking into the obvious scams."

    In my view, people that blindly walk into these scams shouldn't be allowed to use computers in the first place, in the same way that people aren't allowed to drive cars without a demonstration of aptitude.

    It's just sad that being a retard online doesn't have more fatal consequences, like when people don't "Stop, look, listen" and walk blindly into traffic.

  22. Quirkafleeg

    Re: @Herby

    “ "Much safer" would include not having email clients that display HTML.”

    And having clients which will display HTML having an option to not display HTML or (if necessary) convert the HTML to plain text. And plain text display should be the default. And and and… (gibber) (NURSE!)

  23. Anonymous Coward
    Anonymous Coward

    Silly little green browser bar

    Good I am glad this monstrosity of interface design has had its commupence.

    I have just been reading about some bizarre idea of a red and green button for computer states??

    What is going on, colors have no bearing on your security whatsoever. And yet they seem to be touted all over the show.

    Well could be worth getting in on the scam.

    Personally, I find violet very effective to stop crackers in their tracks.

    Unlike other companies I will be giving away my violet (codename ultraviolet) protection away for nothing, only those with the 'cahoonas' to go pink need apply,

    The first person to tell me to #ff 00ff wins a free upgrade to magenta.

  24. Anonymous Coward
    Anonymous Coward

    re Fellow Amigoid

    I wonder if Harry use an amiga to find the error, that will be neat if he did

  25. Anonymous Coward
    Pirate

    Re: HTML email

    NT 4.0 had IE as a standard browser, in 1996. If I recall right, it was IE 2.0.

    Also some kind of email-program, called "Internet Mail" in setup, probably some ancient version of Outlook. (I'm running NT on a machine but of course those have been ripped out and replaced with safer software years ago. In NT you actually could get rid of IE completely.)

    Both of course updated regularly in service packs.

    I have a NT 4.0 SP1 installation CD so if there's disagreement with dates, I can install it on some machine and check.

    Netscape 4.61 seems to be dated at 27.5.1999. I know I have earlier versions down to 2.x, but the machines they are in, are stored elsewhere.

    Anyway, HTML in e-mail is a serious security risk and should be banned immediately and all messages containing it scrapped as spam/phishing attempt.

  26. Anonymous Coward
    Stop

    DNC

    Do Never Clicksee

  27. SteveNZ

    Well.... if we are using Wikipedia as the truth....

    Looks like Netscape had the edge by a few months....

    Netscape Communicator 4, which supported HTML mail was released in July 1997. Since Outlook Express's predecessor, included with IE3 - "MS Internet Mail and News" (get it - that's where msimn.exe comes from!) did NOT support HTML mail, it was the first version of OE - bundled with IE4 in Sep/Oct 2007 that provided MS's first dive into this fire....

    So - without spending hours finding out who was first - looks like at least it ai'n uncle Bill's fault - this time!

  28. TeeCee Gold badge
    Dead Vulture

    @SteveNZ

    "if we are using Wikipedia as the truth...."

    "O, that way madness lies; let me shun that; No more of that."

    This quote comes from William Shakespeare's "King Lear". Taken from the famous scene when Lear looks at his Wikipedia entry and finds that he's been written up as Hitler's gay lover, a kiddie-fiddler with extensive investments in the arms trade and bio-tech industries and the original author of Black Lace's chart-topper "Agadoo".

  29. ben
    Coat

    @SteveNZ

    >>it was the first version of OE - bundled with IE4 in Sep/Oct 2007

    OE was 2007 was it? Looks like space time has got disturbed somewhere. ISTR OE on Win98...

    mines the one with Pedant written across the back.

  30. Daniel B.
    Coat

    Yeeipes!

    Ok dudes, stop messing with timelines... two people have messed with space-time and now both IE3 and Outlook Express have born in 2007 instead of 1996/97???

    Mine's the one with the DeLorean's keys...

  31. Chad Larson
    Thumb Down

    It's even worse

    I frequently use Lynx to browse. It is text only. But places where I would want the most security (like banks) sometimes refuse to deal with a browser that doesn't do Javascript, let alone HTML.

  32. Andy Worth

    Re:We teach our kids to cross the roads carefully

    Couldn't agree more.

    By far the most effective way to reduce phishing attacks (or at least successful ones) would be to have some proper guidance for people on a wide scale. I know the guidance exists, but it's not forced into people's faces.

    To effectively teach a child the correct way to cross a road, you don't say "oh there's a book (or webpage) about crossing roads, read it if you feel like it", you force the information on them. The same should apply to "internet safety" pages, and perhaps even people should have to take a standard internet safety "test" before they are let loose on the web? :)

    I can just imagine it.....Dave Prowse in his blue tights (yes I know they were green in the road safety campaign) promoting the "Blue Cross Code". Someone sitting on a PC, about to click on a phishing email link and he jumps in and says "Don't be an R-tard!.....leave the email alone". Instead of Stop, Look, Listen it'll be Stop, Read Carefully, Delete.

This topic is closed for new posts.