PayPal addresses reflected XSS bug in user wallet currency converter

PayPal has addressed a reflected cross-site scripting (XSS) vulnerability that affected the currency converter feature of user wallets.

PayPal has fixed a reflected cross-site scripting (XSS) vulnerability that was discovered in the currency converter feature of user wallets on February 19, 2020, close one year ago.

The ‘reflected XSS and CSP bypass’ vulnerability was reported by the bug bounty hunter “Cr33pb0y” through the HackerOne platform.

“An endpoint used for currency conversion was found to suffer from a reflected XSS vulnerability, where user input was not being properly sanitized in a parameter in the URL. This could lead to a malicious user injecting malicious JavaScript, HTML, or any other type of code that the browser may execute. The malicious script will execute in the browser page DOM of another user typically without their knowledge or consent.” reads the summary published by PayPal.

PayPal has implemented additional validation checks and sanitizer controls for user input in the currency exchange feature before being returned in the response.

According to PayPal, the flaw resided in the currency conversion endpoint and was caused by a failure to properly sanitize the input in a parameter in the URL.

An attacker could have exploited the flaw to inject malicious code (JavaScript, HTML, or any other language) that will be executed within the browser.

This means that the malicious script will execute in the browser page Document Object Model (DOM) of another user typically without their knowledge or consent.

In a real attack scenario, threat actors could trigger the flaw by tricking the victims into clicking on a specially crafted link.

Malicious payloads could be executed to carry out multiple malicious activities, such as stealing cookies and session tokens.

Cr33pb0y received a $2,900 reward as part of the bug bounty program.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, PayPal)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.