Over a week old
On Friday 30th January, I completed a PayPal transaction and was surprised to note that NoScript (in Firefox) advised me it had blocked a suspected XSS attack. Their site seems to have been infected for over a week then.
At the time, I was buying something from an established Powerseller and had been taken to his trading site that used an intermediary website to collect payment. I've always been suspicious of these and prefer to be sent to PayPal direct. I was extra suspicious because the intermediary trader site asked me for my PayPal e-mail and password 'to make it easier to make payments the next time i bought anything'. I refused and it passed me over to PayPal.
I did think that the XSS attack was due to being involved with the intermediate trader but NoScript did say it came from PayPal and this article seems to confirm it.
sounds about right !!!!!!!
You're being optimistic aren't you?
You expect it to be fixed next week?
Try more like next year.
The XSS detection in noscript's a pain in the arse with 3dsecure, whenever I'm checking out now I close everything else then allow globally otherwise half the time you end up failing when it kicks back to the shop's page.
Might just be the way it detects redirection, not bothered to look into it.
This is why...
...3D Secure is so wrong. Well, it's just another reason why 3D Secure is so wrong.
Any "security system" that requires me to lower my level of security to get it to work is fundamentally flawed.
I keep a second firefox profile without noscript for when I want to buy anything.
Even Fugitif reads El Reg!!
By Fugitif Posted Sunday 8th February 2009 23:09 GMT
this bug was found with dorks query on google and exploited with schemafuzz.py ! that's all.
90% websites/forums are vulnerable to sql injection so I don't see where is the problem.
Did he leave a source IP address? Maybe he posted from Paypal?
@Bill P Godfrey
So let me get this straight - you installed a piece of software designed to help block security issues when you're browsing websites but when you want to disclose your credit card number and expiry date, you turn it off?
Yep. If I'm giving a site my credit card number, I already trust them enough to let them run scripts.
I actually have three firefox profiles, each for different uses. Each one has its own set of add-ons and cookies.
1. Casual browsing. (With Noscript)
3. Credit card.
I run the first two all the time. The third is only used when I want to buy anything and I know that noscript would get in the way.
I made a video showing how to do this. Enjoy.
Paris probably could use NoScript
"when I want to buy anything and I know that noscript would get in the way."
Eh?? NoScript is easy to use - I buy stuff all the time when using NoScript.
Whatever floats your boat though.