Tuesday, April 13, 2021

PayPal fixes reflected XSS vulnerability in user wallet currency converter | ZDNet

PayPal has resolved a reflected cross-site scripting (XSS) vulnerability found in the currency converter feature of user wallets. 

First disclosed on February 19, 2020, by a bug bounty hunter who goes by the name “Cr33pb0y” on HackerOne, the vulnerability is described as a “reflected XSS and CSP bypass” issue. 

The bug was found in the currency converter feature of PayPal wallets on the PayPal web domain.

In a limited disclosure, published on February 10 — close to a year after the researcher reported the issue privately — PayPal said the bug existed in the currency conversion endpoint and was caused by a failure to properly sanitize user input. 

A weak URL parameter failed to clean up input which could allow threat actors to inject malicious JavaScript, HTML, or any other code “that the browser could execute,” according to the advisory. 

As a result, malicious payloads could trigger in the Document Object Model (DOM) of a browser page of a victim without their knowledge or consent. 

Typically, reflected XSS attacks reflect scripts from a web source to a browser and may only require a victim to click on a malicious link to trigger. Payloads may be used to steal cookies, session tokens, or account information, or could be used as a step in wider attacks. 

Following the bug bounty hunter’s disclosure, PayPal has now implemented additional validation checks and sanitizer controls to control user input in the currency exchange feature and wipe out the bug.

A CVE has not been assigned but the vulnerability has been categorized as medium-severity. The researcher was awarded $2,900 as a financial reward. 

Last year, HackerOne published a list of the most impactful and rewarded vulnerability types reported on the platform during 2020. XSS attacks, improper access control, information disclosure, and Server-Side Request Forgery (SSRF) vulnerabilities secured the top spots. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Source link

MORE Articles

Samsung Announces a Galaxy Unpacked Event on April 28 | Digital Trends

Samsung has announced its next Galaxy Unpacked event, where it will likely show off what’s next in its Galaxy product lines. This event...

Nvidia expects crippling GPU shortages to continue throughout 2021

If you’re waiting for the crippling graphics card shortage to loosen up before buying new hardware, well, you might be waiting for a...

Microsoft’s Surface Laptop 4 packs much faster Intel processors

Microsoft has unveiled the Surface Laptop 4.You’ll get faster 11th-gen Intel Core chips, but a familiar design and older AMD options.It’s available April...

Anker is making a $130 webcam as part of its new expansion to home office gear

Anker has announced a new webcam as part of its new AnkerWork line of home office gear. The new webcam, called...

शादीशुदा पुरुषों के लिए बड़े काम की चीज है मुनक्का, जानें इस्तेमाल का तरीका

नई दिल्ली: मुनक्का को आयुर्वेद में औषधीय गुणों का भंडार कहा गया है. ऐसा माना जाता है कि मुनक्का किशमिश की तुलना में...

Stay Connected