Security Experts:

Connect with us

Hi, what are you looking for?



PayPal Patches Serious Flaw in Payment System

Flaw in PayPal “SecurePayments” Page Allowed Hackers to Steal Users’ Data

PayPal has patched a serious vulnerability that could have been exploited by malicious actors to trick users into handing over their personal and financial details.

Flaw in PayPal “SecurePayments” Page Allowed Hackers to Steal Users’ Data

PayPal has patched a serious vulnerability that could have been exploited by malicious actors to trick users into handing over their personal and financial details.

The vulnerability, discovered by Egypt-based researcher Ebrahim Hegazy, was caused by a stored cross-site scripting (XSS) bug in the domain. The domain is used for PayPal’s hosted solution, which enables online shop owners to allow buyers to pay with a payment card or their PayPal account, eliminating the need to capture or store sensitive payment information.

According to Hegazy, a malicious actor could have set up a rogue shopping site or hijacked a legitimate website, and alter the “Checkout” button with a URL designed to exploit the XSS vulnerability. This allowed the attacker to change the contents of the SecurePayments page and display a phishing page where the victim is instructed to enter personal and financial information.

The harvested data is then sent back to a server controlled by the attacker, the researcher explained.

The XSS code could have been injected into the PayPal SecurePayments page via a URL that looked something like this:

Then, this malicious URL was injected into the checkout button, the expert said.

The vulnerability was reported to PayPal on June 19. The payment processor fixed the flaw on July 10.

Hegazy told SecurityWeek that PayPal awarded him $750 for his findings, which is the maximum bug bounty payout for XSS vulnerabilities. The researcher has published a proof-of-concept video to demonstrate the existence of the flaw.

“The vulnerability was found in a payment flow that allows merchants to customize the payment experience for their customers,” PayPal told SecurityWeek“To exploit the vulnerability, an attacker would have had to trick a victim into visiting the payment flow after a shopping experience to facilitate payment. This would require the attacker to either setup a fake web store and entice victims to shop there, or modify an existing store to send victims to the payment flow.”

“PayPal takes the security of our customers’ data, money and account information extremely seriously and worked quickly to resolve an issue on the SecurePayment page. We have no evidence to suggest that any PayPal accounts were impacted in any way,” PayPal said.

“Our team of dedicated security professionals works vigilantly to help keep customer information secure. We recognize the important role that security researchers and our user community play in also helping to keep PayPal and our customers secure, which is why we run a Bug Bounty Program. If you discover a site or product vulnerability please notify us through our Bug Bounty Program,” the company added.

This is not the first time Hegazy has found a serious vulnerability in a high-profile service. Last year, he identified a security hole in a Yahoo domain that allowed him to gain root access to one of the company’s servers.

Related Reading: PayPal Fixes Remote Code Execution Flaw in Partner Program Website

*Updated with correct fix date (July 10) and additional information from PayPal

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.