PayPal has fixed a reflected cross-site scripting (XSS) vulnerability that was discovered in the currency converter feature of user wallets on February 19, 2020, close one year ago.
The ‘reflected XSS and CSP bypass’ vulnerability was reported by the bug bounty hunter “Cr33pb0y” through the HackerOne platform.
PayPal has implemented additional validation checks and sanitizer controls for user input in the currency exchange feature before being returned in the response.
According to PayPal, the flaw resided in the currency conversion endpoint and was caused by a failure to properly sanitize the input in a parameter in the URL.
This means that the malicious script will execute in the browser page Document Object Model (DOM) of another user typically without their knowledge or consent.
In a real attack scenario, threat actors could trigger the flaw by tricking the victims into clicking on a specially crafted link.
Malicious payloads could be executed to carry out multiple malicious activities, such as stealing cookies and session tokens.
Cr33pb0y received a $2,900 reward as part of the bug bounty program.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, PayPal)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.