Threaded Mode | Linear Mode

***mandy*** · 06-17-2006, 09:40 AM,

Quote:A security flaw in the PayPal web site is being actively exploited by fraudsters to steal credit card numbers and other personal information belonging to PayPal users. The issue was reported to Netcraft today via our anti-phishing toolbar.

The scam works quite convincingly, by tricking users into accessing a URL hosted on the genuine PayPal web site. The URL uses SSL to encrypt information transmitted to and from the site, and a valid 256-bit SSL certificate is presented to confirm that the site does indeed belong to PayPal; however, some of the content on the page has been modified by the fraudsters via a cross-site scripting technique (XSS).

When the victim visits the page, they are presented with a message that has been 'injected' onto the genuine PayPal site that says, "Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center." After a short pause, the victim is then redirected to an external server, which presents a fake PayPal Member log-In page...

full article with screenshots: http://news.netcraft.com/archives/2006/0...theft.html

***regic*** · 06-17-2006, 04:28 PM,

PayPal patched the hole on its site within hours of the Netcraft report yesterday but there's no indication they plan to contact all of their members to alert them that a breach occured-i.e. that the PayPal website was hacked in a cross-scripting attack. : Smile

Quote:PayPal has fixed a flaw in its Web site to block a sophisticated scam designed to obtain sensitive data from members, the payment service said Friday.

The company has no information on how many people may have fallen victim to the scam,

full article: http://news.com.com/PayPal+fixes+phishin...g=nefd.top

rose · 06-17-2006, 08:42 PM,

Sloppy programming. Did they outsource all of their development work to Microsoft? Happy001

**amy** · 06-18-2006, 12:18 AM,

Quote: a cross-site scripting technique

It isn't surprising that the PayPal site has cross-site scripting flaws since the US government issued a security alert about similar problems on the eBay site in April.