This is Zigoo0 again, and today i will talk about a Stored XSS Vulnerability in “https://Securepayments.Paypal.com” that could be used by attackers to steal Paypal users credit card and login credentials and more!
Vulnerability Title: Paypal Critical Vulnerability to steal Users Credit Cards in ClearText format
Vulnerable Page: https://securepayments.paypal.com/cgi-bin/acquiringweb
Vulnerable Parameter: template
Paypal SecurePayments domain is used by paypal users to do secure payments when purchasing from any shopping site,
This secure payments page require Paypal users to fill some forms that include their Credit Card number, CVV2, Expiry date and more to finalize the payment and purchase the products via their Paypal account,
The submitted data is processed through encrypted channel(HTTPS) so attackers wont be able to sniff/steal such data.
I’ve found a Stored XSS vulnerability that affects the SecurePayment page directly which allowed me to alter the page HTML and rewrite the page content, An attacker can provide his own HTML forms to the user to fullfill and send the users data back to attacker’s server in clear text format, and then use this information to purchase anything in behave of users or even transfere the users fund to his own account!
The worst attacking scenario that could be conducted using this vulnerability is:
1- Attacker setup shopping site or Hack into any shopping site, alter the “CheckOut” button with the Paypal Vulnerability,
2- Paypal user browse the malformed shopping site, choose some products, click on “CheckOut” button to Pay with his Paypal account,
3- User get’s redirected to https://Securepayments.Paypal.com/ to fill the required Credit Card information to complete the purchasing order, In the same page, the products price that will be paid is included inside the same page, and as we know the attacker now control this page!
4- Now when you (Paypal user) click on Submit Payment button, instead of paying let’s say “100$” YOU WILL PAY TO THE ATTACKER WHATEVER AMOUNT THE ATTACKER’S DECIDE!!
Demo: Now that you’ve reviewed the vulnerability details, it’s the Demo time
In below demo video i’ve showed how an attacker with this vulnerability could steal your Credit Card and login Credentials information!
As an Ethical Hacker, this vulnerability was reported to Paypal and is now FIXED, Welcome back SECURED SecurePayments
Below is a TimeLine of the vulnerability:
Vulnerability Discovery: 19/Jun/15 2:27 AM
Vulnerability Reported: 19/Jun/15 7:10 AM
Remediation Notification: Aug 24, 2015 at 7:04 PM
Thanks Paypal Security team for the good coordination the fast responses for Emails.
You can follow me on Twitter for the latest vulnerabilities/news/updates -> @Zigoo0