PayPal plugs cross-site scripting vulnerability

Finnish researcher's discovery finds that even SSL certificate was no guarantee of security

By Gregg Keizer, Computerworld
May 19, 2008

Talkback

E-mail

Printer Friendly

Reprints

Online payment provider PayPal has patched a critical cross-site scripting vulnerability that a Finnish researcher disclosed late last week, the company said Monday.

Harry Sintonen, who goes by the alias "piru," revealed the cross-site scripting bug in an online chat on Friday, according to a report posted by U.K.-based anti-fraud vendor Netcraft Ltd. The cross-site scripting vulnerability's potential impact was even more serious than usual, Sintonen said, because the page was guarded by an Extended Validation (EV) SSL certificate

"PayPal says you can trust the URL if it begins with 'https://www.paypal.com,' which is not true in this case," Sintonen told Netcraft and others during an online chat session.

Sintonen claimed that he was able to inject his own code, which put a harmless message on-screen that read, "Is it safe?" a reference to a line in the 1976 movie "Marathon Man."

Cross-site scripting bugs, which are typically exploited by identity thieves and phishers, let attackers insert their own malicious code into legitimate pages, but have also been used for other purposes. Last month, for example, a cross-site scripting vulnerability in Sen. Barack Obama's (D-Ill.) presidential campaign Web site redirected some visitors to the URL of his rival, Sen. Hillary Clinton (D-N.Y.).

EVs are a step above standard SSL certificates -- their owners must go through more stringent background checks -- and were introduced to reassure users that an online site is legitimate, not a fake hosted by phishers. PayPal was one of the first commercial sites to use an EV.

To let users know they're at URL backed by an EV, browsers that support the certificates tint the address bar green.

Monday, the payment arm of eBay Inc. said it had plugged the cross-site scripting hole. "As soon as we learned of this exploit, we began working very quickly to shut it down and it is now closed," said PayPal spokesman Michael Olderburg in an e-mail. "To our knowledge, this exploit was not used in any phishing attacks."

EVs, cross-site scripting vulnerabilities and PayPal have some history. A month ago, PayPal's chief information security officer, Michael Barrett, seemed to say in a paper presented at the RSA Conference that the company would block browsers such as Apple Inc.'s Safari that didn't support EVs.

A few days later, however, PayPal said it had no plans to block Safari, or any current browser, from its site and service, but instead said it would bar only "obsolete browsers on outdated or unsupported operating systems." The example it gave then was Internet Explorer 4 running on Windows 98; both that browser and OS fell off Microsoft Corp.'s support list in mid-2006.

Add to:

Digg

Talkback:

comment Post a Comment

MOST COMMENTS

>> Talkback: Have your say

THE TOP THREE WAYS TO CUT COSTS IN 2009
With the current economic environment, organizations are looking for ways to cut costs. With Oracle Content Management, you can cut costs in three ways in 2009: consolidation, process automation and compliance. Learn more from this webcast sponsored by Oracle.

» Click here to view this Webcast

Protection for Remote Sites and Branch Offices
This Whitepaper reviews the challenges of creating appropriate data protection, especially for small and midsize companies with remote and branch offices. It offers suggestions on how you can choose the most appropriate data protection solution for your company's needs. Sponsored by Overland

» Click here to download now

- Special Advertising Partners -

WHITE PAPERS

Best practices for Microsoft Exchange 2007 with HP Servers - After extensive testing, we present you with configuration and performance data, best practices, and recommendations to ...
Securing the Converged Enterprise I - Balancing the many benefits of convergence with the associated security risks can be tricky. While convergence eases communications...
Performance and Scalability on HP ProLiant Multi-Processor Server Blades - This performance brief summarizes scalability testing of Microsof(R) Exchange Server 2007 on HP ProLiant blade servers. ...
HP Smart Array P800 Controller and HP MSA60 2,500 - This document provides information on the HP StorageWorks 60 Modular Smart Array (MSA60) direct attached storage (DAS) solution...
HP Insight Dynamics - VSE Reference Arch. for Microsoft Exchange Server 2007 - Learn more about HP Architecture Planning Tool for OCS 2007: - Further detail on the various input parameters and decision...
Best Practices for Deploying Microsoft Office SharePoint Server 2007 - The release of Hyper-V, from Microsoft Windows Server 2007, provides users with a virtualization tool to consolidate the...

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert

Find out when the latest white paper is available:

INFOWORLD MARKETPLACE

Deliver REMOTE SUPPORT Easily. Try WebEx FREE! - DOWNLOAD WEBEX SUPPORT CENTER FREE! Deliver efficient, effective support. CRUSH SUPPORT LOG JAMS!
Migrating to an IP-VPN? XO Can Make It Happen - Learn the five critical success factors with a free whitepaper from XO Enterprise Solutions.
Sign up to TRY WEBEX SUPPORT CENTER FOR FREE! - Get your FULL FEATURED trial here. Share documents and applications, address support challenges.
IP Networks Boost Secure Health Communications - AT&T provides secure communication to keep health care moving forward.
Why a CMDB? - IT best practices (ITIL) have shown the benefits of a CMDB. Click for whitepapers.

» BUY A LINK NOW

PayPal plugs cross-site scripting vulnerability

MOST COMMENTS

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert

Video

Podcasts

InfoWorld Blogs

Columnists

Find Products and Companies

Resource Center

Sponsored Technology Links

Sponsored Technology Links
(ISC)2 - I'm an SSCP Go-To Guy. See what I do. Click here! Rackspace - The True Value of a Hosting Provider AMD - The Future is Fusion. Only from AMD. Learn more. Intersystems - Develop and integrate faster with InterSystems Ensemble. AMD - Learn how the new Quad-Core AMD Opteron(TM) processor improves performance AT&T - AT&T Article: Reinventing the Telephone with VoIP HP - HP Architect Planning Tools for MS Office Communications Server 2007 AT&T - Securing the Converged Enterprise II AT&T - Securing the Converged Enterprise I HP - Best Practices for Deploying Microsoft Office SharePoint Server 2007 AT&T - An AT&T White Paper: Enterprise IPTV Solution HP - HP ProLiant BL480c Server Blade Microsoft Exchange Server 2007 HP - HP Smart Array P800 Controller and HP MSA60 2,500 Oracle - Top 3 Ways to Cut Costs in 2009 with Oracle Content Management AMD - See the power of the new Quad-Core AMD Opteron(TM) processor ASG Software - Transform your IT Organization now! AT&T - The Top 10 Best Practices for Server Virtualization Planning ISC2 - Network Security Solutions Guide Infoblox - The Costs and Impacts of DNS and IP Address Management Riverbed - Virtualization Solutions Guide Armstrong - Delivering Actionable Enterprise Architecture AT&T - AT&T Business Continuity Survey on Risk Management AT&T - New from AT&T: Discover Fixed-Mobile Convergence Now HP - HP StorageWorks products-control, consolidation and confidence. Vision Solutions - Solving Downtime Challenges to Manufacturing and Supply Chain Operations Oracle - The Top Three Ways to Cut Costs in 2009		HP - Predict the future with HP Insight Power Manager HP - Affordable technology-no compromise. HP server solutions. Motorola - The Enterprise Mobile Messaging Benchmark Report AT&T - Machines That Speak: The Machine-to-Machine Wireless Network Data Domain - IDC Workbook: Assess the Value of Deduplication for your Storage Consolidation Initiatives Vision Solutions - Real-Time, On-Demand Information for Business Intelligence and Data Integration Samsung Printing Solutions - control workflow, costs and operations Check Point - Check Point Endpoint Security White Paper Get to know - BlackBerry Professional Software-find out more Oracle - Oracle Universal Content Management Oracle - Information Workplace Platforms: Oracle vs. Microsoft Oracle - Performance Monitor: ERP at the Speed of Light Sony - Discover the advantages of Sony LTO media at sony.com/lto. Sun - Virtual Machines: Sun's xVM Virtualization Portfolio Verisign - The Latest Advancements in SSL Technology CA - Plan IT better, Manage IT better. CA - Manage your IT more effectively. Intel - Processor-enabled Virtualization. That's IT as it should be. Microsoft - Get the virtualizing power of Windows Server 2008 with Hyper-V Microsoft - Microsoft SQL Server 2008. Read Case Studies & Try for Free Microsoft - Learn about the software-based VoIP solution from Microsoft. AT&T - An AT&T Article: When Content is King AT&T - Maximizing Mobility in Communications AT&T - The Spirit of Innovation: 100 IT Leaders Speak Out Oracle - Nucleus Report: Who's ready for SMB? Qwest - Learn how Qwest voice and data solutions can save you time.

	HOME NEWS BLOGS PODCASTS VIDEOS TECHNOLOGIES TEST CENTER EVENTS	About \| Advertise \| Awards \| RSS \| Contact Us
Copyright © 2008, Reprints, Permissions, Licensing, IDG Network, Privacy Policy, Terms of Service. All Rights reserved. InfoWorld is a leading publisher of technology information and product reviews on topics including viruses, phishing, worms, firewalls, security, servers, storage, networking, wireless, databases, and web services. CIO :: ComputerWorld :: CSO :: Demo :: GamePro :: Games.net :: IDG Connect :: IDG World Expo Industry Standard :: IT World :: JavaWorld :: LinuxWorld :: MacUser :: Macworld :: Network World :: PC World :: Playlist TecChannel :: TecCommunity