Connect with us

Hi, what are you looking for?



PayPal Patches Serious Flaw in Payment System

Flaw in PayPal “SecurePayments” Page Allowed Hackers to Steal Users’ Data

PayPal has patched a serious vulnerability that could have been exploited by malicious actors to trick users into handing over their personal and financial details.

Flaw in PayPal “SecurePayments” Page Allowed Hackers to Steal Users’ Data

PayPal has patched a serious vulnerability that could have been exploited by malicious actors to trick users into handing over their personal and financial details.

The vulnerability, discovered by Egypt-based researcher Ebrahim Hegazy, was caused by a stored cross-site scripting (XSS) bug in the domain. The domain is used for PayPal’s hosted solution, which enables online shop owners to allow buyers to pay with a payment card or their PayPal account, eliminating the need to capture or store sensitive payment information.

According to Hegazy, a malicious actor could have set up a rogue shopping site or hijacked a legitimate website, and alter the “Checkout” button with a URL designed to exploit the XSS vulnerability. This allowed the attacker to change the contents of the SecurePayments page and display a phishing page where the victim is instructed to enter personal and financial information.

The harvested data is then sent back to a server controlled by the attacker, the researcher explained.

The XSS code could have been injected into the PayPal SecurePayments page via a URL that looked something like this:

Advertisement. Scroll to continue reading.

Then, this malicious URL was injected into the checkout button, the expert said.

The vulnerability was reported to PayPal on June 19. The payment processor fixed the flaw on July 10.

Hegazy told SecurityWeek that PayPal awarded him $750 for his findings, which is the maximum bug bounty payout for XSS vulnerabilities. The researcher has published a proof-of-concept video to demonstrate the existence of the flaw.

“The vulnerability was found in a payment flow that allows merchants to customize the payment experience for their customers,” PayPal told SecurityWeek“To exploit the vulnerability, an attacker would have had to trick a victim into visiting the payment flow after a shopping experience to facilitate payment. This would require the attacker to either setup a fake web store and entice victims to shop there, or modify an existing store to send victims to the payment flow.”

“PayPal takes the security of our customers’ data, money and account information extremely seriously and worked quickly to resolve an issue on the SecurePayment page. We have no evidence to suggest that any PayPal accounts were impacted in any way,” PayPal said.

“Our team of dedicated security professionals works vigilantly to help keep customer information secure. We recognize the important role that security researchers and our user community play in also helping to keep PayPal and our customers secure, which is why we run a Bug Bounty Program. If you discover a site or product vulnerability please notify us through our Bug Bounty Program,” the company added.

This is not the first time Hegazy has found a serious vulnerability in a high-profile service. Last year, he identified a security hole in a Yahoo domain that allowed him to gain root access to one of the company’s servers.

Related Reading: PayPal Fixes Remote Code Execution Flaw in Partner Program Website

*Updated with correct fix date (July 10) and additional information from PayPal

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.