PayPal has fixed a cross-site scripting problem on its mobile payments site that, left unaddressed, had the potential for misuse in phishing attacks. The vulnerability, discovered by hacking and security site Security-Shell, also created a possible mechanism for hackers to redirect surfers from mobile.paypal.com onto untrusted …
"We act very quickly whenever ..."
They sure do, especially when it comes to embezzling funds destined for their merchants - remember Cryptome?
PayPal collector and vendor of private information - one outfit to avoid at all costs, especially if you are a merchant who needs your collections paid over quickly to survive in these hard economic times.
Correction regarding Veracode's data
Great article. Good to see PayPal respond promptly to a reported XSS issue. I am one of the co-authors of Veracode's State of Software Security report that highlighted the XSS prevalence issue referenced here. I wanted to point out that the report is not based on a survey. It is based on an analysis of over 2900 real-world applications that were submitted to Veracode's cloud-based application risk management platform over the last 18 months. We issue this report every six months and it reports on the key findings and observations based on the security testing we perform across web and non-web applications from across the software supply chain (internally developed , open source, outsourced and commercial apps are all included). Readers can find the full report here: http://www.veracode.com/reports/index.html
Draft Media Release re PayPal
“It is with great sadness that eBay’s Chief Headless Turkey, John Donahoe, announces the probable demise of eBay’s most ugly daughter, PayPal. Donahoe says that PayPal has been stricken by particularly virulent strains of Visa+CyberSource and Mastercard Open Platform, and these afflictions are greatly aggravated by PayPal’s insurmountable lack of direct financial institutions support and a great deal of PayPal user dissatisfaction, particularly with respect to PayPal’s grossly unfair, “all responsibility avoiding” user agreement, totally primitive risk management processes, and grossly unprofessional, usually buyer-biased, fraud-facilitating (indeed, non existent) transactions mediation, to name just a few of the problems that PayPal merchants have to endure.
“Donahoe says that PayPal’s health may therefore be expected to deteriorate and, if ultimately not completely incapacitated, will most likely be eventually confined to its mandatory offering on what little there will be, by then, left of the Donahoe-devastated eBay marketplaces. There is no cure for this condition, and the “eBafia Don” is particularly saddened by the inevitable presumption that it is unlikely that PayPal, will be able to continue to underpin eBay’s sagging bottom line too far into the future.”
Yes, it’s a send-up but, still, it accurately describes PayPal’s most unprofessional and “clunky” operation. The fact is, had the developers of the original “bankcard” concept ever behaved the way PayPal behaves towards its payees in particular, credit/debit cards may never have gotten off the ground, and we would probably still be paying for all our purchases with bits of paper and little metal discs.
It should also be emphasized that all the payments processors that do not have the direct underlying support of the financial institutions, as do Visa/Mastercard, suffer the same handicaps that PayPal does. The “banks” may be disliked by some but they at least supply a “professional” payments processing service.
A detailed examination of and prognosis for PayPal, (including a link to the “PayPal Horror Tour”) at:
Shill Bidding on eBay: Case Study #4
This latest study provides an indication of eBay’s desperation to mitigate lessening sales activity and very effectively demonstrates eBay’s effective aiding and abetting of criminal shill bidding “wire fraud” activity on unsuspecting buyers:
eBay/PayPal/Donahoe: Dead Men Walking.
I never liked PayPal...
I never liked PayPal, didn't quite understand its reason for being,
but these 'horror stories' are worth reading.Wow...
what about another xss & redirect ? paypal site is still vulnerable
new xss and redirect ( live poc )