Egypt-based researcher Ebrahim Hegazy discovered a Stored Cross Site Scripting (XSS) vulnerability in the Paypal's Secure Payments domain.
As it sounds, the domain is used to conduct secure online payments when purchasing from any online shopping website. It enables buyers to pay with their payment cards or PayPal accounts, eliminating the need to store sensitive payment information.
However, it is possible for an attacker to set up a rogue online store or hijacked a legitimate shopping website, to trick users into handing over their personal and financial details.
How the Stored XSS Attack Works?
Hegazy explains a step by step process in his blog post, which gives a detailed explanation of the attack.
Here's what the researcher calls the worst attack scenario:
- An attacker need to set up a rogue shopping site or hijack any legitimate shopping site
- Now modify the "CheckOut" button with a URL designed to exploit the XSS vulnerability
- Whenever Paypal users browse the malformed shopping website, and click on "CheckOut" button to Pay with their Paypal account, they'll be redirected to the Secure Payments page
- The page actually displays a phishing page where the victims are asked to enter their payment card information to complete the purchasing
- Now on clicking the Submit Payment Button, instead of paying the product price (let's say $100), the Paypal user will pay the attacker amount of attacker's choice
The researcher has also provided a proof-of-concept (PoC) video that shows attack in work. You can watch the video here.
Hegazy reported this serious security vulnerability to the PayPal team on June 19th, and the team confirmed the security hole, which was fixed on August 25 – just over two months later.
PayPal has also rewarded Hegazy with a bug bounty of $750 for his findings, which is the company’s maximum bug bounty payout for XSS vulnerabilities.