A serious scripting error has been discovered on PayPal that could enable attackers to create convincing spoof pages that steal users' authentication credentials..

The cross-site scripting bug is made all the more critical because it resides on a page that uses an extended validation secure sockets layer certificate. The new-fangled SSL mechanism is designed to give users a higher degree of confidence that the page they're visiting is secure by turning their browser address bar green.

But Finnish researcher Harry Sintonen figured out a way to inject his own code into a supposedly protected PayPal page even as the green bar lulled visitors into believing it hadn't been tampered with. Sintonen's code simply caused an Internet Explorer alert window to open with the words "Is it safe?" as evidenced by the screenshot below.

During an online interview, he demonstrated a page that prompted users for their account credentials and then sent them to an unauthorized server, and he said it would be possible for him to steal user cookies as well. All the while, the address bar would bear the PayPal URL in green. At time of publication, eBay had not yet removed the buggy code.

A statement from PayPal said the company considers user security a top priority. "As soon as we were informed of this exploit, we began working very quickly to shut it down," the statement read. "To our knowledge, this exploit was not used in any phishing attacks". Unauthorized withdrawals or purchases made on PayPal accounts are fully reimbursed.

The discovery is one more reason to remain skeptical of extended validation SSL, which has always struck us as a solution in search of a problem. Yes, we know it's supposed to close a loophole that's long existed in SSL by certifying, in this case for example, that it is eBay (the parent company of PayPal) that owns the SSL certificate for the specific PayPal page. But we've not yet heard of a single attack involving a forged certificate, so we're tempted to think the measure is more gimmick designed to generate revenue for VeriSign and its competitors than anything else.

eBay security pros seem to have drunk the EV SSL Kool Aid, however, having announced recently (PDF alert) (http://www.thepaypalblog.com/weblog/files/a_practical_approach_to_managing_phishing_april_2008.pdf) that browsers that don't support the new standard aren't welcome on the PayPal site.

XSS vulnerabilities have emerged as one of the easier and more common ways to subvert website security measures. They use manipulated URLs to get around the so-called same-origin policy, which prevents cookies and other types of content set by one domain from being accessed or manipulated by a different address.

Despite the proliferation of XSS attacks, McAfee's ScanAlert, which provides daily audits of ecommerce websites to certify them "Hacker Safe," gives clients the thumbs up (http://www.theregister.co.uk/2008/04/29/mcafee_hacker_safe_sites_vulnerable/) even when XSS vulnerabilities are discovered on their pages. ®

Related stories

Skype ignores PayPal siphoning hijack scheme (2 September 2008)
http://www.theregister.co.uk/2008/09/02/mysterious_skype_hijackings/
Microsoft's IE 8 puts giant web hole on notice (20 August 2008)
http://www.theregister.co.uk/2008/08/20/microsoft_xss_filter/
Apple faithful snared in phishing scam targeting Mac.com users (13 August 2008)
http://www.theregister.co.uk/2008/08/13/phishers_attack_mac_faithful/
eBay calls for end to grey import laws (24 June 2008)
http://www.theregister.co.uk/2008/06/24/ebay_grey_imports/
Paypal glitch hits merchants with 12-day headache (27 May 2008)
http://www.channelregister.co.uk/2008/05/27/paypal_glitch_weighs_on_merchants/
Royal Bank of Scotland takes three weeks to squash nasty Worldpay bug (20 May 2008)
http://www.channelregister.co.uk/2008/05/20/rbs_closes_security_hole/
PayPal meltdown wreaks havoc on some ecommerce websites (17 May 2008)
http://www.theregister.co.uk/2008/05/17/paypal_ipn_meltdown/
McAfee 'Hacker Safe' cert sheds more cred (29 April 2008)
http://www.theregister.co.uk/2008/04/29/mcafee_hacker_safe_sites_vulnerable/
ISP typo pimping exposes users to fraudulent web pages (20 April 2008)
http://www.theregister.co.uk/2008/04/20/kaminsky_demo_at_toorcon/
Will EV SSL stop phishing attacks? Probably not (29 February 2008)
http://www.theregister.co.uk/2008/02/29/ev_ssl_doubts/
Phishing coders hook clueless crooks (24 January 2008)
http://www.theregister.co.uk/2008/01/24/phishing_kit_backdoor/
Reported malfunction in PayPal Security Key (28 November 2007)
http://www.channelregister.co.uk/2007/11/28/paypal_security_key_bug/
Botmaster owns up to 250,000 zombie PCs (9 November 2007)
http://www.theregister.co.uk/2007/11/09/botmaster_to_plea_guilty/
'Fiendish' Trojan pickpockets eBay users (19 October 2007)
http://www.theregister.co.uk/2007/10/19/return_of_trojan_bayrob/
Yahoo! Teams! With! eBay! And! PayPal! To! End! Phishing! (6 October 2007)
http://www.theregister.co.uk/2007/10/06/yahoo_ebay_and_paypal_announce_anti_phising_scheme/
eBay forum mysteriously leaks account details on 1,200 users (25 September 2007)
http://www.theregister.co.uk/2007/09/25/ebay_account_details_published/
Strange spoofing technique evades anti-phishing filters (25 May 2007)
http://www.theregister.co.uk/2007/05/25/strange_spoofing_technique/
So who sent you that spam? HP or Oracle? (28 March 2007)
http://www.theregister.co.uk/2007/03/28/bots_in_perimeter/
Man hijacks 90 eBay accounts (21 March 2007)
http://www.theregister.co.uk/2007/03/21/ebay_hijack_plea/
Anatomy of an eBay scam (21 March 2007)
http://www.theregister.co.uk/2007/03/21/ebay_fraud_anatomy/