[ news_security_news ]
PayPal Flaw Gets Accidental Two-Year Reprieve?
Doug Caverly
Staff Writer
2006-07-20
 Insider Reports RSS Feed
A recent development has shaken many users' confidence in PayPal. It seems a security flaw that was "discovered" last month was actually nothing new at all; the same vulnerability was supposedly first identified about two years earlier.
The flaw in question is the XSS vulnerability that, as described by Netcraft, "was harnessed by fraudsters to execute a convincing phishing attack against PayPal users." Netcraft covered the flaw last month. PayPal, by all accounts, acted quickly to fix the vulnerability. And so everything was fine until today, when Netcraft published evidence that the company had previously been made aware of the security flaw.
"Chris Marlow tried to warn PayPal about the flaw in June 2004, but claims the PayPal representative he spoke to did not understand what cross-site scripting was, and - due to company policy - was unable to provide an email address to allow a proof-of-concept exploit to be demonstrated," wrote Paul Mutton. Marlow then went on to post "details about the exploit to his web site."
Mutton's article links to the cached page where Marlow described the flaw after being dismissed by PayPal. The news probably isn't going to help the payment service's reputation; Google Checkout managers are probably having a laugh in their offices this very moment.
It's unlikely that it will have any tangible effect on the company, though. So many major sites and programs have had so many lapses in security, and yet most of them remained largely unscathed. Still, it's disconcerting to see PayPal (allegedly) let a security flaw go unaddressed.
Add to | DiggThis | Yahoo! My Web
Technorati: PayPal
About the Author:
Doug is a staff writer for SecurityProNews. InternetFinancialNews, SearchNewz, and WebProNews.
More news_security_news Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
