02-13-2021 , 10:03 PM
PayPal has patched a cross-site scripting - or XSS - vulnerability in its currency conversion endpoint that, if exploited, could enable malicious JavaScript injection.
The PayPal vulnerability was discovered in February 2020 by a security researcher who goes by the name Cr33pb0y, who was paid $2,900 as part of HackerOne's bug bounty program.
Responding in the HackerOne forum, PayPal notes the vulnerability resulted in its currency conversion URL improperly handling user input. An attacker exploiting the vulnerability could perform JavaScript injection or add other malicious code to the URL to access the document object model on the victim's browser. By loading a malicious payload into a victim's browser, hackers could steal data or take control of a device.
The vulnerability was resolved, PayPal says, "by implementing additional controls to validate and sanitize user input before being returned in the response."
XSS Attacks
XSS vulnerabilities are a common attack vector for hackers.
A string of recent data breaches has been tied to vulnerabilities in Accellion's File Transfer Appliance, including what some experts say was an XSS flaw (see: The Accellion Mess: What Went Wrong?).
In 2019, an independent security researcher found that an XSS bug in Tesla 3's web browser enabled him to hack into the car (see: How a Big Rock Revealed a Tesla XSS Vulnerability).
The researcher noted that the flaw, if exploited, could enable a hacker to perform JavaScript injection to compromise the car further.
Source
The PayPal vulnerability was discovered in February 2020 by a security researcher who goes by the name Cr33pb0y, who was paid $2,900 as part of HackerOne's bug bounty program.
Responding in the HackerOne forum, PayPal notes the vulnerability resulted in its currency conversion URL improperly handling user input. An attacker exploiting the vulnerability could perform JavaScript injection or add other malicious code to the URL to access the document object model on the victim's browser. By loading a malicious payload into a victim's browser, hackers could steal data or take control of a device.
The vulnerability was resolved, PayPal says, "by implementing additional controls to validate and sanitize user input before being returned in the response."
XSS Attacks
XSS vulnerabilities are a common attack vector for hackers.
A string of recent data breaches has been tied to vulnerabilities in Accellion's File Transfer Appliance, including what some experts say was an XSS flaw (see: The Accellion Mess: What Went Wrong?).
In 2019, an independent security researcher found that an XSS bug in Tesla 3's web browser enabled him to hack into the car (see: How a Big Rock Revealed a Tesla XSS Vulnerability).
The researcher noted that the flaw, if exploited, could enable a hacker to perform JavaScript injection to compromise the car further.
Source