HomeTech PlusTECH & OTHER NEWSPayPal fixes reflected XSS vulnerability in user wallet currency converter

PayPal fixes reflected XSS vulnerability in user wallet currency converter

PayPal has resolved a reflected cross-site scripting (XSS) vulnerability found in the currency converter feature of user wallets. 

First disclosed on February 19, 2020, by a bug bounty hunter who goes by the name “Cr33pb0y” on HackerOne, the vulnerability is described as a “reflected XSS and CSP bypass” issue. 

The bug was found in the currency converter feature of PayPal wallets on the PayPal web domain.

In a limited disclosure, published on February 10 — close to a year after the researcher reported the issue privately — PayPal said the bug existed in the currency conversion endpoint and was caused by a failure to properly sanitize user input. 

A weak URL parameter failed to clean up input which could allow threat actors to inject malicious JavaScript, HTML, or any other code “that the browser could execute,” according to the advisory. 

As a result, malicious payloads could trigger in the Document Object Model (DOM) of a browser page of a victim without their knowledge or consent. 

Typically, reflected XSS attacks reflect scripts from a web source to a browser and may only require a victim to click on a malicious link to trigger. Payloads may be used to steal cookies, session tokens, or account information, or could be used as a step in wider attacks. 

Following the bug bounty hunter’s disclosure, PayPal has now implemented additional validation checks and sanitizer controls to control user input in the currency exchange feature and wipe out the bug.

A CVE has not been assigned but the vulnerability has been categorized as medium-severity. The researcher was awarded $2,900 as a financial reward. 

Last year, HackerOne published a list of the most impactful and rewarded vulnerability types reported on the platform during 2020. XSS attacks, improper access control, information disclosure, and Server-Side Request Forgery (SSRF) vulnerabilities secured the top spots. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


By ZDNet Source Link

Technology For You
Technology For Youhttps://www.technologyforyou.org
Technology For You - One of the Leading Online TECHNOLOGY NEWS Media providing the Latest & Real-time news on Technology, Cyber Security, Smartphones/Gadgets, Apps, Startups, Careers, Tech Skills, Web Updates, Tech Industry News, Product Reviews and TechKnowledge...etc. Technology For You has always brought technology to the doorstep of the Industry through its exclusive content, updates, and expertise from industry leaders through its Online Tech News Website. Technology For You Provides Advertisers with a strong Digital Platform to reach lakhs of people in India as well as abroad.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

spot_img

CYBER SECURITY NEWS

TECH NEWS

TOP NEWS