PayPal Security Flaw reported at Netcraft
Tuesday, June 20th, 2006Netcraft: PayPal Security Flaw allows Identity Theft
A security flaw in the PayPal web site is being actively exploited by fraudsters to steal credit card numbers and other personal information belonging to PayPal users. The issue was reported to Netcraft today via our anti-phishing toolbar.The scam works quite convincingly, by tricking users into accessing a URL hosted on the genuine PayPal web site. The URL uses SSL to encrypt information transmitted to and from the site, and a valid 256-bit SSL certificate is presented to confirm that the site does indeed belong to PayPal; however, some of the content on the page has been modified by the fraudsters via a cross-site scripting technique (XSS).
Paypal has fixed the flaw that allowed the exploit. This type of exploit is called a Cross-Site Scripting(XSS) attack. The link will lead you to a very technical page which just means that, a web application is taking user information without validating and URL decoding the input. If it is not properly validated and decoded it could be malicious. The app then uses the potentially malicious data to build another web page. A fraudster would then find someway to trick you into accessing this new page. Usually using a technique called phishing, sending a fraudulent email made to appear that it is coming from a site that you normally do business with, like Paypal, or a bank. The fraudster could could then trick your web browser to redirecting you to his own site(if you are no paying attention), usually designed to look like the site you wanted to access. Where you would enter user name, password, or any other personal info he can trick you into entering.
