TRENDING:

Governance & Risk Management , Next-Generation Technologies & Secure Development , Patch Management

PayPal Mitigates XSS Vulnerability

Patch Issued After Vulnerability Found in an Endpoint Used for Currency Conversion Akshaya Asokan (asokan_akshaya) • February 12, 2021    
PayPal Mitigates XSS Vulnerability

PayPal has patched a cross-site scripting - or XSS - vulnerability in its currency conversion endpoint that, if exploited, could enable malicious JavaScript injection.

See Also: OnDemand I Remediate the Most Exploitable Vulnerabilities First and Fast

The PayPal vulnerability was discovered in February 2020 by a security researcher who goes by the name Cr33pb0y, who was paid $2,900 as part of HackerOne's bug bounty program.

Responding in the HackerOne forum, PayPal notes the vulnerability resulted in its currency conversion URL improperly handling user input. An attacker exploiting the vulnerability could perform JavaScript injection or add other malicious code to the URL to access the document object model on the victim's browser. By loading a malicious payload into a victim's browser, hackers could steal data or take control of a device.

The vulnerability was resolved, PayPal says, "by implementing additional controls to validate and sanitize user input before being returned in the response."

XSS Attacks

XSS vulnerabilities are a common attack vector for hackers.

"Exploitable software vulnerabilities will unavoidably happen, and when they do, some adversaries may be in a position to take advantage of them," says Tim Wade, technical director, CTO Team at threat detection company Vectra. "It’s the nature of the beast and it’s incumbent on organizations to plan for this possibility."

"Vulnerabilities that exploit XSS are often prevalent because they are difficult and time-consuming to test for automatically," says Dirk Schrader, global vice president at cyber security vendor New Net Technologies. "Secure coding techniques are ultra-critical in order to mitigate these vulnerabilities ‘at source’. It’s still the basics that leave most organizations at risk, so core security controls such as vulnerability management, patching and configuration hardening are still going to give the best return for protection vs effort."

Recent Incidents

A string of recent data breaches has been tied to vulnerabilities in Accellion's File Transfer Appliance, including what some experts say was an XSS flaw (see: The Accellion Mess: What Went Wrong?).

In 2019, an independent security researcher found that an XSS bug in Tesla 3's web browser enabled him to hack into the car (see: How a Big Rock Revealed a Tesla XSS Vulnerability).

The researcher noted that the flaw, if exploited, could enable a hacker to perform JavaScript injection to compromise the car further.

Previous
Siemens Patches 21 Vulnerabilities in 2 Tools
Next
Water Treatment Hack Prompts Warning From CISA

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.



Around the Network

Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack
Properly Vetting AI Before It's Deployed in Healthcare
Properly Vetting AI Before It's Deployed in Healthcare
How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.