Monday, October 18, 2021

PayPal fixes reflected XSS vulnerability in user wallet currency converter | ZDNet

PayPal has resolved a reflected cross-site scripting (XSS) vulnerability found in the currency converter feature of user wallets. 

First disclosed on February 19, 2020, by a bug bounty hunter who goes by the name “Cr33pb0y” on HackerOne, the vulnerability is described as a “reflected XSS and CSP bypass” issue. 

The bug was found in the currency converter feature of PayPal wallets on the PayPal web domain.

In a limited disclosure, published on February 10 — close to a year after the researcher reported the issue privately — PayPal said the bug existed in the currency conversion endpoint and was caused by a failure to properly sanitize user input. 

A weak URL parameter failed to clean up input which could allow threat actors to inject malicious JavaScript, HTML, or any other code “that the browser could execute,” according to the advisory. 

As a result, malicious payloads could trigger in the Document Object Model (DOM) of a browser page of a victim without their knowledge or consent. 

Typically, reflected XSS attacks reflect scripts from a web source to a browser and may only require a victim to click on a malicious link to trigger. Payloads may be used to steal cookies, session tokens, or account information, or could be used as a step in wider attacks. 

Following the bug bounty hunter’s disclosure, PayPal has now implemented additional validation checks and sanitizer controls to control user input in the currency exchange feature and wipe out the bug.

A CVE has not been assigned but the vulnerability has been categorized as medium-severity. The researcher was awarded $2,900 as a financial reward. 

Last year, HackerOne published a list of the most impactful and rewarded vulnerability types reported on the platform during 2020. XSS attacks, improper access control, information disclosure, and Server-Side Request Forgery (SSRF) vulnerabilities secured the top spots. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Source link

MORE Articles

ఏపీలో మరో ఎన్నికల సమరం – ఎన్నికల సంఘం సన్నాహాలు..!!

12 మున్సిపాల్టీల్లో ఎన్నికల కోసం వీటిపై ప్రజలు, రాజకీయ పార్టీల ప్రతినిధుల నుంచి అభ్యంతరాలు స్వీకరించి 23న తుది నోటిఫికేషన్‌ ఇవ్వాలని స్పష్టం చేసింది. అందులో భాగంగా...

How the tech used to make giant, ultrahigh-precision mirrors and lenses for the James Webb Space Telescope was repurposed to develop displays for mobile...

Christopher Mims / Wall Street Journal: How the tech used to make giant, ultrahigh-precision mirrors and lenses for the James Webb Space Telescope...

OzTech: CBA gets machine learning to tackle abusive messaging; Smart city tally ranks 5 Australian cities; Australia and Finland to exchange supercomputer information

Commonwealth Bank gets machine learning to solve abusive messaging issuesEighteen months after finding a large number of abusive messages attached to customers’ transactions...

Dispute resolution platform Immediation raises $3.6M AUD to expand in the U.S. – TechCrunch

The pandemic forced the legal profession to cobble together remote work strategies, often through a combination of video conferencing and emails. Founded in...

Amazon India’s brand team steals designs and artificially boosts its visibility in search results

A hot potato: Companies worldwide spend uncountable hours and dollars to...

Stay Connected