New Delhi: A serious security flaw was recently discovered in PayPal that could have allowed hackers to steal your unencrypted credit card details. Fortunately, the bug has been fixed.
This vulnerability discovered by Egypt-based researcher Ebrahim Hegazy, was caused by a stored cross-site scripting (XSS) bug in the SecurePayments.PayPal.com domain.
The domain is used for PayPal’s hosted solution, which enables online shop owners to allow buyers to pay with a payment card or their PayPal account, eliminating the need to capture or store sensitive payment information.
According to Hegazy's blog post, the vulnerability was found only on the "https://securepayments.paypal.com"domain, used to process commercial transactions.
"I’ve found a Stored XSS vulnerability that affects the SecurePayments page directly which allowed me to alter the page HTML and rewrite the page content," says Hegazy.
Using this flaw, an attacker would have been able to inject his own payment forms in the page's HTML, allowing him to intercept the user's private financial information in clear text.
The vulnerability was disclosed to the PayPal team and was fixed two days ago. In addition to that, PayPal awarded Ebrahim Hegazy $750 for his findings.
(With Agency inputs)