Phishing Scammers Could Exploit Vulnerabilities on eBay and PayPal
By Ina Steiner
A Romanian "security enthusiast" said he discovered new cross-site scripting (XSS) vulnerabilities on PayPal and eBay that could be used by fraudsters to create very credible phishing attacks, according to Softpedia. A Forbes blog post explains in more detail how the alleged PayPal flaw works. PayPal did not respond to AuctionBytes inquiry about the reports by press time.*
Phishing is a serious problem for eBay - fraudsters use phishing scams to trick account holders and then hijack their accounts, as described in this AuctionBytes Newsflash article from March.
*Update 10/7/10: PayPal Chief Information Security Officer Michael Barrett responded to our inquiry about the cross-site scripting vulnerabilities on Thursday via email, and said the research had not informed PayPal of the vulnerabilities before going public:
"Security of our customers' information is the number one priority at PayPal and the potential vulnerability was fixed within hours of being made public yesterday.
"No customers were affected. We value our partnership with the security community and collaborate closely with them when we receive notification of an issue. In this case, the researcher decided to make his discovery public without informing PayPal in advance. We highly recommend any researcher who finds a potential vulnerability report it to PayPal (https://www.paypal.com/cgi-bin/webscr?cmd=xpt/Marketing/securitycenter/general/ReportingSecurityIssues-outside) before going public. In that way we can all ensure that the Internet remains as safe as possible from malicious activity."
About the author:
Ina Steiner is co-founder and Editor of EcommerceBytes and has been reporting on ecommerce since 1999. She's a widely cited authority on marketplace selling and is author of "Turn eBay Data Into Dollars" (McGraw-Hill 2006). Her blog was featured in the book, "Blogging Heroes" (Wiley 2008). Follow her on Twitter at @ecommercebytes and send news tips to firstname.lastname@example.org.
You may quote up to 50 words of any article on the condition that you attribute the article to EcommerceBytes.com and either link to the original article or to www.EcommerceBytes.com.
All other use is prohibited.