Windows Support Tools

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Sunday, 28 December 2008

PayPal XSS Vulnerability Undermines EV SSL Security

Posted on 21:51 by Unknown

A security researcher in Finland has discovered a cross-site scripting vulnerability on paypal.com that would allow hackers to carry out highly plausible attacks, adding their own content to the site and stealing credentials from users.

The vulnerability is made worse by the fact that the affected page uses an Extended Validation SSL certificate, which causes the browser's address bar to turn green, assuring visitors that the site – and its content – belongs to PayPal. Two years ago, a similar vulnerability was discovered on a different page of the PayPal site, which also used an SSL certificate

Harry Sintonen discovered the vulnerability and announced it to other web application security specialists in an Internet Relay Chat (IRC) channel today. Sintonen told Netcraft that the issue was critical, adding that, "you could easily steal credentials," and, "PayPal says you can trust the URL if it begins with https://www.paypal.com," which is not true in this case.

While SSL certificates do indeed provide a higher level of assurance when it comes to site ownership, they cannot guarantee that a site is free from other security problems – including cross-site scripting. There are concerns that hackers may exploit misunderstandings in the significance of the green address bar for their own benefit, piggybacking off the trust that is instilled by EV certificates. Users need to be aware that a green address bar does not guarantee the origin of a page's contents if there is a cross-site scripting vulnerability on that page.

The vulnerability comes to light only a month after PayPal published a practical approach to managing phishing on their blog, which extols the use of Extended Validation certificates in preventing phishing. The document describes browsers that do not support EV certificates as "unsafe" and announces the company's plans to block customers from accessing their website from the most unsafe browsers.

PayPal was one of the first companies to adopt EV certificates and the company says it has seen noticeably lower abandonment rates on signup flows for Internet Explorer 7 users versus other browsers. According to the document, PayPal believe this correlates closely to user interface changes triggered by their use of EV certificates.
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Receiving Error 'ORA-01041: internal error. hostdef extension doesn't exist.' on re-establishing a connection to Oracle.
    You can receive the error message 'Error ORA-01041: internal error. hostdef extension doesn't exist' when attempting to re-esta...
  • Google Sinks Cash into Undersea Cable
    Google has joined the Unity consortium, which will build a $300 million fiber optic cable linking the US and Japan. The 7.68 Tbps, 10,000 ki...
  • Troubleshooting the Microsoft Exchange Transport Service When It Fails to Start on an Exchange 2007 Hub Transport Server with Event ID 1032 or 1036
    Event ID: 1032 Socket Access Denied. Binding: 0.0.0.0:25. Event ID: 1036 Failed to open one or more bindings. The service will be stopped....
  • C Traps and Pitfalls (Addison Wesley, 1989, English)
    C Traps and Pitfalls teaches how the peculiarities of the C language make it easy for the intended behavior of a program and the actual beha...
  • SoftMaker Office 2008 Free Full Version Download With Genuine License Key
    SoftMaker Office 2008 is reliable office productivity software that is designed for beginners and professional users. SoftMaker Office Suite...
  • Amazon Takes the Humans Out of Fulfillment With New API
    keeps adding to its Web services. Today, it is opening up an API for its Fulfillment by Amazon service, which allows online merchants to out...
  • AP Microsoft backs Icahn's bid to oust Yahoo board
    SAN FRANCISCO - Microsoft Corp. threw its weight behind investor Carl Icahn's effort to dump Yahoo Inc.'s board, saying Monday that...
  • Suba Vesak Mangallayak Weewa !!!!
    Keep your heart free from hate your mind from worry, Live simply expect little, give much Fill your life with love forget self, think of ot...
  • How to Remove Dosearches.com homepage (Virus Removal Guide)
    Dosearches.com  is a browser hijacker, which is promoted via other free downloads, and once installed it will change your browser homepage t...
  • Alcohol 120% v5 Blu-ray Burner Free Download with Registration Unlock Code
    Alcohol 120% is a CD and DVD burning, copying, backup, recording, duplication, emulation and creation software for Windows. In addition to c...

Categories

  • ISA Firewall
  • ISA Server 2006
  • Quick Tips
  • Reports
  • Tips

Blog Archive

  • ►  2013 (7)
    • ►  October (6)
    • ►  February (1)
  • ►  2012 (10)
    • ►  September (3)
    • ►  August (3)
    • ►  July (3)
    • ►  June (1)
  • ►  2011 (16)
    • ►  August (2)
    • ►  July (4)
    • ►  June (3)
    • ►  May (1)
    • ►  April (1)
    • ►  March (4)
    • ►  January (1)
  • ►  2010 (12)
    • ►  December (3)
    • ►  October (4)
    • ►  March (1)
    • ►  January (4)
  • ►  2009 (67)
    • ►  August (2)
    • ►  July (18)
    • ►  June (23)
    • ►  April (3)
    • ►  March (6)
    • ►  February (7)
    • ►  January (8)
  • ▼  2008 (319)
    • ▼  December (30)
      • graphic viewer for Windows 9x/ME/NT/2000/XP/2003/V...
      • Wish you a Happy New Year !!!!!
      • A Benchmark Strategy to Search Engine Marketing (SEM)
      • Google Analytics Interface Tutorial
      • SEO Tips - improve Google ranking of your website
      • How to Become an SEO Specialist?
      • Free Clipboard Manager for keeping the clipboard h...
      • ClipX
      • Universal Extractor
      • CD/DVD Drive Letter Missing from My Computer
      • PayPal XSS Vulnerability Undermines EV SSL Security
      • FREE PDF Printer
      • Bank Sale -
      • Key Problem - Sri Lanka Ceylinco chief says Golden...
      • Golden Key Fraud in Sri Lanka
      • Merry Christmas and a Happy New Year!
      • How to add a disclaimer to outgoing SMTP messages ...
      • Remotely Recover Deleted Files on Network Computer...
      • TeamViewer
      • TomTom Releases Free Online Router Planner
      • FREE Norton Internet Security 2009 Subscription Va...
      • 10 mistakes new Linux administrators make
      • With news of Linux kernel 2.6 being ported to the ...
      • Nokia Stops Selling Mobile Phones In Japan
      • How to Promote Your Blog – The Definitive Guide to...
      • Be A Good Manager By Letting People Learn And Grow...
      • HIV facts and stats
      • How to Disable the Hidden Administrative Shares (c...
      • 8 Work At Home Time Management Strategies
      • With Vista SP2, Microsoft is back on track
    • ►  November (43)
    • ►  October (45)
    • ►  September (12)
    • ►  August (18)
    • ►  July (27)
    • ►  June (15)
    • ►  May (7)
    • ►  April (55)
    • ►  March (65)
    • ►  January (2)
  • ►  2007 (10)
    • ►  December (2)
    • ►  November (8)
Powered by Blogger.

About Me

Unknown
View my complete profile