Posted Tuesday 10th February 2009 09:17 GMT
On Friday 30th January, I completed a PayPal transaction and was surprised to note that NoScript (in Firefox) advised me it had blocked a suspected XSS attack. Their site seems to have been infected for over a week then.
At the time, I was buying something from an established Powerseller and had been taken to his trading site that used an intermediary website to collect payment. I've always been suspicious of these and prefer to be sent to PayPal direct. I was extra suspicious because the intermediary trader site asked me for my PayPal e-mail and password 'to make it easier to make payments the next time i bought anything'. I refused and it passed me over to PayPal.
I did think that the XSS attack was due to being involved with the intermediate trader but NoScript did say it came from PayPal and this article seems to confirm it.
Posted Tuesday 10th February 2009 10:10 GMT
why oh why anybody still trusts paypal/fleabay any more is beyond me, they cant even secure their own sites, if it wasnt so serious it would be hillarious, if they cut down their use of javascript and wide-open flash content, joe public might have a chance, pigs might fly too, some chance eh ?? bloody oxygen theives grrrrrrrrrrrrrrr :O)
Posted Tuesday 10th February 2009 10:59 GMT
You expect it to be fixed next week?
Try more like next year.
/slinks off
Posted Tuesday 10th February 2009 10:59 GMT
The XSS detection in noscript's a pain in the arse with 3dsecure, whenever I'm checking out now I close everything else then allow globally otherwise half the time you end up failing when it kicks back to the shop's page.
Might just be the way it detects redirection, not bothered to look into it.
Posted Tuesday 10th February 2009 12:13 GMT
...3D Secure is so wrong. Well, it's just another reason why 3D Secure is so wrong.
Any "security system" that requires me to lower my level of security to get it to work is fundamentally flawed.
Posted Tuesday 10th February 2009 13:11 GMT
I keep a second firefox profile without noscript for when I want to buy anything.
Posted Tuesday 10th February 2009 13:11 GMT
http://www.theregister.co.uk/2009/02/08/kaspersky_compromise_report/comments/
By Fugitif Posted Sunday 8th February 2009 23:09 GMT
this bug was found with dorks query on google and exploited with schemafuzz.py ! that's all.
90% websites/forums are vulnerable to sql injection so I don't see where is the problem.
Did he leave a source IP address? Maybe he posted from Paypal?
Posted Wednesday 11th February 2009 05:12 GMT
So let me get this straight - you installed a piece of software designed to help block security issues when you're browsing websites but when you want to disclose your credit card number and expiry date, you turn it off?
Ok.
Posted Wednesday 11th February 2009 14:23 GMT
Yep. If I'm giving a site my credit card number, I already trust them enough to let them run scripts.
I actually have three firefox profiles, each for different uses. Each one has its own set of add-ons and cookies.
1. Casual browsing. (With Noscript)
2. GMail.
3. Credit card.
I run the first two all the time. The third is only used when I want to buy anything and I know that noscript would get in the way.
I made a video showing how to do this. Enjoy.
http://www.youtube.com/watch?v=_5oubQ4kggs
Posted Thursday 12th February 2009 04:04 GMT
"when I want to buy anything and I know that noscript would get in the way."
Eh?? NoScript is easy to use - I buy stuff all the time when using NoScript.
Whatever floats your boat though.
Sign up, sign up for The Register's weekly IT security newsletter - click here
Back to the article
