Security researchers at Bitdefender have uncovered a stored cross-site scripting (XSS) vulnerability in PayPal that could be used by hackers to upload malicious files capable of performing attacks on users of the online banking service.
The flaw, which affects only Firefox users, was found in the URLs that transport uploaded files. Bitdefender used a proof-of-concept with an HTML-formatted XML file and transferred it to the ‘create an invoice’ section on PayPal’s website.
Tampering with the URL that pulls upload files from PayPal’s servers allowed Bitdefender to force the execution of a malicious file on the server.
The security researchers then released a summary of how they uncovered the vulnerability.
“After making an XML file that was then uploaded to PayPal’s server, Bitdefender researchers were able to modify the file’s link and perform changes to it which produced an error,” the security firm said in a blog post.
“Once the full path to the stored XSS was noted, a second file was then uploaded with a pre-determined file name and divided into blocks of 16. Because each block could be changed to affect the block that followed, when some bytes were changed the output looked very different.”
Bitdefender was able to gain a response from PayPal that resulted in a link that could be used by hackers for further attacks. PayPal has since patched the flaw before any cases were discovered in the wild.
Catalin Cosoi, chief security strategist at Bitdefender, said that he was concerned about the PayPal flaw. “The huge reach that cyber attackers had access to through this vulnerability was a worrying development for a service that prides itself on security,” he added.
“Attackers will constantly try to find vulnerabilities in PayPal to gain access to transactions or perform illicit activities. The fact that we found a critical vulnerability ahead of malicious actors has averted potentially serious consequences for PayPal and its customers.”
A strain of malware called Dyre, designed to steal financial data via a malicious phishing campaign, recently hit major finance institutions including Barclays, Santander, Lloyds TSB and PayPal.