“I’ve found a Stored XSS vulnerability that affects the SecurePayment page directly which allowed me to alter the page HTML and rewrite the page content, An attacker can provide his own HTML forms to the user to fulfill and send the users data back to attacker’s server in clear text format, and then use this information to purchase anything in behave of users or even transfer the users fund to his own account!” wrote the expert in a blog post.

Which are the attack scenarios?

Ebrahim explained that the worst attack scenario is:

Attacker setup shopping site or Hack into any shopping site, alter the “CheckOut” button with the Paypal Vulnerability,

Paypal user browse the malformed shopping site, choose some products, click on “CheckOut” button to Pay with his Paypal account,

User get’s redirected to https://Securepayments.Paypal.com/ to fill the required Credit Card information to complete the purchasing order, In the same page, the products price that will be paid is included inside the same page, and as we know the attacker now control this page!

Now when the Paypal user click on Submit Payment button, instead of paying let’s say “100$” YOU WILL PAY THE ATTACKER WHATEVER AMOUNT THE ATTACKER’S DECIDE!!

Below the video PoC published by the expert that shows how the attacker exploits the vulnerability to steal the user Credit Card and login Credentials information.

The expert ethically reported the flaw to Paypal that promptly fixed it, this is the Time Line of the bug:

Vulnerability Discovery: 19/Jun/15 2:27 AM

Vulnerability Reported: 19/Jun/15 7:10 AM

Remediation Notification: Aug 25, 2015 at 5:44 AM

Thanks Paypal Security team for the good coordination the fast responses for Emails.

Pierluigi Paganini

(Security Affairs – hacking, PayPal)