In association with heise online

28 May 2013, 11:29

PayPal vulnerable to cross-site scripting again

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Screenshot of XSS
Zoom A simple string is able to bypass PayPal's entry filter and enable attackers to execute arbitrary JavaScript
17-year old German schoolboy Robert Kugler has posted information on a cross-site scripting vulnerability in payment processing service PayPal to the Full Disclosure mailing list. Kugler wanted to report the bug to PayPal as part of its official Bug Bounty Program, but the program only pays out to participants who are 18 or over. To vent his frustration, he has now gone public with the bug.

PayPal servers apparently fail to check strings entered in the German version of the site-wide search field with sufficient rigour. The result is that it is possible to enter JavaScript in this field, which the server then sends to the browser. The browser then executes this code. Attackers can exploit such cross-site scripting (XSS) vulnerabilities to, among other things, steal access credentials. The issue can be demonstrated by entering

"<SCRIPT>alert('XSS strikes again')</SCRIPT>

in the search fieldGerman language link. The English language version of search on PayPal directs users to a different, apparently externally run, search engine. The XSS flaw could though still be of use in attacks on English speakers using PayPal.

Paypal XSS with certificate details
Zoom Note the XSS trickery - despite a PayPal URL and a valid PayPal certificate, login credentials entered here are sent, not to PayPal, but to The H's German associates at

The user has no way of knowing that code has been injected by an attacker, since the correct PayPal URL is displayed in the browser address bar and checking the SSL certificate also fails to show up any irregularities. The simple attack described by Kugler does not work with WebKit-based browsers (Safari and Chrome), which include an XSS filter. This can, however, be circumvented. Opera, Firefox and Internet Explorer users are vulnerable to the PayPal vulnerability. Mozilla developers are working on their own XSS filter, but development appears to have come to a halt.

A previous XSS vulnerability at PayPal which could be exploited using insufficiently filtered user entries was discovered back in March 2012. Then as now, the company was happy to advertise itself in Germany as a "Tested payment system" with a certificateGerman language linkPDF issued by TÜV Saarland. In the last financial year, PayPal had a global turnover of $1.5 billion.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit