EV SSL-secured live PayPal site vulnerable to XSS
Written by DP
Wednesday, 6 October 2010
*UPDATE - 07/10/2010* - Both issues already fixed. Well done PayPal security team! :)
"d3v1l" from Security-Sh3ll has reported another critical XSS flaw affecting the live PayPal site, where "real money" changes hands... This XSS vulnerability once more undermines the security of Extended Validation SSL (EV SSL) digital certificates... On the 26th of September, he also discovered a cross-site scripting hole in the mobile version of the live PayPal site, that was corrected within one day due to prompt notification by our early warning mailing list service.
https://www.paypal.com XSS mirror
Also the main domain of the PayPal Sandbox site got XSSed, just 10 days after registration.sandbox.paypal.com got XSSed (now fixed) by "Nemessis".
"PayPal XSS vulnerability" - d3v1l - Security-Sh3ll - 6 Oct 2010