back to article XSS bug crawls all over PayPal page

Online payments site PayPal has been bitten by yet another cross-site scripting (XSS) bug that could be exploited by black hats to phish user passwords or possibly steal authentication cookies. At time of writing, opening the link revealed a tainted page that opened a javascript window that read: "Fugitif was here another time …


This topic is closed for new posts.
  1. Frank
    Thumb Up

    Over a week old

    On Friday 30th January, I completed a PayPal transaction and was surprised to note that NoScript (in Firefox) advised me it had blocked a suspected XSS attack. Their site seems to have been infected for over a week then.

    At the time, I was buying something from an established Powerseller and had been taken to his trading site that used an intermediary website to collect payment. I've always been suspicious of these and prefer to be sent to PayPal direct. I was extra suspicious because the intermediary trader site asked me for my PayPal e-mail and password 'to make it easier to make payments the next time i bought anything'. I refused and it passed me over to PayPal.

    I did think that the XSS attack was due to being involved with the intermediate trader but NoScript did say it came from PayPal and this article seems to confirm it.

  2. psychochief

    sounds about right !!!!!!!

    why oh why anybody still trusts paypal/fleabay any more is beyond me, they cant even secure their own sites, if it wasnt so serious it would be hillarious, if they cut down their use of javascript and wide-open flash content, joe public might have a chance, pigs might fly too, some chance eh ?? bloody oxygen theives grrrrrrrrrrrrrrr :O)

  3. hi_robb
    Dead Vulture

    You're being optimistic aren't you?

    You expect it to be fixed next week?

    Try more like next year.

    /slinks off

  4. Anonymous Coward
    Anonymous Coward


    The XSS detection in noscript's a pain in the arse with 3dsecure, whenever I'm checking out now I close everything else then allow globally otherwise half the time you end up failing when it kicks back to the shop's page.

    Might just be the way it detects redirection, not bothered to look into it.

  5. Anonymous Coward
    Thumb Down

    This is why...

    ...3D Secure is so wrong. Well, it's just another reason why 3D Secure is so wrong.

    Any "security system" that requires me to lower my level of security to get it to work is fundamentally flawed.

  6. Bill P. Godfrey


    I keep a second firefox profile without noscript for when I want to buy anything.

  7. Estariel

    Even Fugitif reads El Reg!!

    By Fugitif Posted Sunday 8th February 2009 23:09 GMT

    this bug was found with dorks query on google and exploited with ! that's all.

    90% websites/forums are vulnerable to sql injection so I don't see where is the problem.

    Did he leave a source IP address? Maybe he posted from Paypal?

  8. Jeremy
    Paris Hilton

    @Bill P Godfrey

    So let me get this straight - you installed a piece of software designed to help block security issues when you're browsing websites but when you want to disclose your credit card number and expiry date, you turn it off?


  9. Bill P. Godfrey
    Paris Hilton


    Yep. If I'm giving a site my credit card number, I already trust them enough to let them run scripts.

    I actually have three firefox profiles, each for different uses. Each one has its own set of add-ons and cookies.

    1. Casual browsing. (With Noscript)

    2. GMail.

    3. Credit card.

    I run the first two all the time. The third is only used when I want to buy anything and I know that noscript would get in the way.

    I made a video showing how to do this. Enjoy.

  10. Anonymous Coward
    Paris Hilton

    Paris probably could use NoScript

    "when I want to buy anything and I know that noscript would get in the way."

    Eh?? NoScript is easy to use - I buy stuff all the time when using NoScript.

    Whatever floats your boat though.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021