Cross-site scripting hole in Paypal casts doubt on EV-SSL

A cross-site scripting vulnerability exists in the online bank Paypal which could allow malicious code injection, despite the site using an Extended Validation-SSL (EV-SSL) certificate. EV-SSL certificates require stricter validation than standard certificates and promise increased security for web pages. The flaw is a blow to the image of the EV-SSL system, which is designed to provide greater protection and reassurance to internet users.

In web browsers including Internet Explorer from version 7 and Firefox from the upcoming version 3, EV-SSL certificates cause a green address bar to be displayed to indicate that the user has reached the legitimate web page and not a phishing page. Although not designed to prevent or detect security holes like this one, EV-SSL is being sold by CAs and browser vendors as a badge of trust for web sites. The cross-site scripting hole could be exploited by attackers to forward data such as login credentials to remote servers or steal cookies without the user's knowledge – according to the reports, the address bar remains green.

Finnish security expert Harry Sintonen demonstrated the hole in an IRC chat. A pop-up window is reported to have opened during a visit to the page. Sintonen is also said to have given another demonstration to UK media, in which an injected JavaScript generated a login prompt and sent the entered data to an unauthorised server. By close of business on 16 May, eBay reportedly hadn't closed the hole.

According to a statement by Paypal, the security of Paypal users is a top priority. "As soon as we were informed of this exploit, we began working very quickly to shut it down." The online bank explained that "to our knowledge, this exploit was not used in any phishing attacks." Only four weeks ago, Paypal managers considered excluding browsers which don't support EV-SSL.

See also:

• PayPal XSS Vulnerability Undermines EV SSL Security, posting on Netcraft

(mba)