December 10, 2010

PayPal Send Money Cross-Site Scripting Vulnerability

1. Summary:

PayPal's send money feature is affected by an XSS (cross-site scripting) vulnerability.

2. Description:

When sending money via PayPal, the sender has an option to input a message along with the money being sent.  A malicious attacker can inject XSS code into this message box because it fails to validate input.  When the victim goes to view the transaction page the injected code will execute.

3. Impact:

Potentially allow an attacker access to a victim’s PayPal account.

4. Affected Products:

5. Solution:  Fixed

6. Time Table:

12/06/2010 Reported Vulnerability to the Vendor
12/07/2010 Vendor Acknowledge Vulnerability
04/22/2011 Bug has been fixed

7. Credits:

Discovered by Nathan Power