Flaw in PayPal “SecurePayments” Page Allowed Hackers to Steal Users’ Data
PayPal has patched a serious vulnerability that could have been exploited by malicious actors to trick users into handing over their personal and financial details.
The vulnerability, discovered by Egypt-based researcher Ebrahim Hegazy, was caused by a stored cross-site scripting (XSS) bug in the SecurePayments.PayPal.com domain. The domain is used for PayPal’s hosted solution, which enables online shop owners to allow buyers to pay with a payment card or their PayPal account, eliminating the need to capture or store sensitive payment information.
According to Hegazy, a malicious actor could have set up a rogue shopping site or hijacked a legitimate website, and alter the “Checkout” button with a URL designed to exploit the XSS vulnerability. This allowed the attacker to change the contents of the SecurePayments page and display a phishing page where the victim is instructed to enter personal and financial information.
The harvested data is then sent back to a server controlled by the attacker, the researcher explained.
The XSS code could have been injected into the PayPal SecurePayments page via a URL that looked something like this:
Then, this malicious URL was injected into the checkout button, the expert said.
The vulnerability was reported to PayPal on June 19. The payment processor fixed the flaw on July 10.
Hegazy told SecurityWeek that PayPal awarded him $750 for his findings, which is the maximum bug bounty payout for XSS vulnerabilities. The researcher has published a proof-of-concept video to demonstrate the existence of the flaw.
“The vulnerability was found in a payment flow that allows merchants to customize the payment experience for their customers,” PayPal told SecurityWeek. “To exploit the vulnerability, an attacker would have had to trick a victim into visiting the payment flow after a shopping experience to facilitate payment. This would require the attacker to either setup a fake web store and entice victims to shop there, or modify an existing store to send victims to the payment flow.”
“PayPal takes the security of our customers’ data, money and account information extremely seriously and worked quickly to resolve an issue on the SecurePayment page. We have no evidence to suggest that any PayPal accounts were impacted in any way,” PayPal said.
“Our team of dedicated security professionals works vigilantly to help keep customer information secure. We recognize the important role that security researchers and our user community play in also helping to keep PayPal and our customers secure, which is why we run a Bug Bounty Program. If you discover a site or product vulnerability please notify us through our Bug Bounty Program,” the company added.
This is not the first time Hegazy has found a serious vulnerability in a high-profile service. Last year, he identified a security hole in a Yahoo domain that allowed him to gain root access to one of the company’s servers.
Related Reading: PayPal Fixes Remote Code Execution Flaw in Partner Program Website
*Updated with correct fix date (July 10) and additional information from PayPal