XSS bug crawls all over PayPal page Online payments site PayPal has been bitten by yet another cross-site scripting (XSS) bug that could be exploited by black hats to phish user passwords or possibly steal authentication cookies. At time of writing, opening the link revealed a tainted page that opened a javascript window that read: "Fugitif was here another time …
On Friday 30th January, I completed a PayPal transaction and was surprised to note that NoScript (in Firefox) advised me it had blocked a suspected XSS attack. Their site seems to have been infected for over a week then.
At the time, I was buying something from an established Powerseller and had been taken to his trading site that used an intermediary website to collect payment. I've always been suspicious of these and prefer to be sent to PayPal direct. I was extra suspicious because the intermediary trader site asked me for my PayPal e-mail and password 'to make it easier to make payments the next time i bought anything'. I refused and it passed me over to PayPal.
I did think that the XSS attack was due to being involved with the intermediate trader but NoScript did say it came from PayPal and this article seems to confirm it.
why oh why anybody still trusts paypal/fleabay any more is beyond me, they cant even secure their own sites, if it wasnt so serious it would be hillarious, if they cut down their use of javascript and wide-open flash content, joe public might have a chance, pigs might fly too, some chance eh ?? bloody oxygen theives grrrrrrrrrrrrrrr :O)
The XSS detection in noscript's a pain in the arse with 3dsecure, whenever I'm checking out now I close everything else then allow globally otherwise half the time you end up failing when it kicks back to the shop's page.
Might just be the way it detects redirection, not bothered to look into it.
http://www.theregister.co.uk/2009/02/08/kaspersky_compromise_report/comments/
By Fugitif Posted Sunday 8th February 2009 23:09 GMT
this bug was found with dorks query on google and exploited with schemafuzz.py ! that's all.
90% websites/forums are vulnerable to sql injection so I don't see where is the problem.
Did he leave a source IP address? Maybe he posted from Paypal?
Yep. If I'm giving a site my credit card number, I already trust them enough to let them run scripts.
I actually have three firefox profiles, each for different uses. Each one has its own set of add-ons and cookies.
1. Casual browsing. (With Noscript)
2. GMail.
3. Credit card.
I run the first two all the time. The third is only used when I want to buy anything and I know that noscript would get in the way.
I made a video showing how to do this. Enjoy.
http://www.youtube.com/watch?v=_5oubQ4kggs
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
