LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

PayPal XSS Vulnerability Undermines EV SSL Security (Netcraft)

[Posted May 19, 2008 by jake]

Netcraft is reporting a cross-site scripting (XSS) vulnerability at PayPal. Because PayPal uses the Extended Validation SSL certificate, the abuse potential is somewhat higher as we described in an article in March. "Harry Sintonen discovered the vulnerability and announced it to other web application security specialists in an Internet Relay Chat (IRC) channel today. Sintonen told Netcraft that the issue was critical, adding that, 'you could easily steal credentials,' and, 'PayPal says you can trust the URL if it begins with https://www.paypal.com,' which is not true in this case."
(Log in to post comments)

PayPal XSS Vulnerability Undermines EV SSL Security (Netcraft)

Posted May 19, 2008 20:42 UTC (Mon) by clugstj (subscriber, #4020) [Link] 

This certainly makes it look like PayPal is much more interested in appearing to be secure
than actually being secure.

PayPal XSS Vulnerability Undermines EV SSL Security (Netcraft)

Posted May 19, 2008 23:48 UTC (Mon) by proski (subscriber, #104) [Link]

Actually, the article doesn't say anything about PayPal reaction to the issue.

PayPal XSS Vulnerability Undermines EV SSL Security (Netcraft)

Posted May 20, 2008 11:56 UTC (Tue) by tialaramex (subscriber, #21167) [Link] 

I believe the poster you're responding to means that PayPal spent money buying an EV
certificate (though by PayPal's standards it would be cheap) to re-assure users that they're
secure, but they didn't put the effort into security-by-design that is a necessary first step
before worrying about having the right kind of SSL certs.

Thus no "response" is needed, PayPal's priorities, like Microsoft's ten years ago, are quite
transparent and should warn security conscious people to stay miles away.

PayPal XSS Vulnerability Undermines EV SSL Security (Netcraft)

Posted May 20, 2008 19:22 UTC (Tue) by martinfick (subscriber, #4455) [Link] 

Why's that?  When it comes down to it, technical security features are nowhere near as
important as their security process.  After all, as a user who cares what security features
paypal uses?  What matters is what they do if someone commits fraud or steals from your
account.  Just because paypal thinks that it is important to give the impression of security
to their customers, does not mean that they will not have very good customer service policies!
I am in no way implying that they do or don't have good customer service policies, simply that
it really is unrelated to their technical security mechanisms.

PayPal XSS Vulnerability Undermines EV SSL Security (Netcraft)

Posted May 21, 2008 10:07 UTC (Wed) by tialaramex (subscriber, #21167) [Link] 

I agree that the process is the correct unit of security, but I think it's a mistake to
include all "customer service" in the security process per se.

When your bank replaces money which was fraudulently taken from your account that's not part
of a "securty process" it's just a customer retention measure or a legal obligation. If the
bank is able to revert the fraudulent transfer then /that/ might be part of a security
process, or if they're able to  identify where the money went and alert a local subsidiary to
call in the police, /that/ could be part of the security process. But just giving the customer
money so he'll stop whining isn't security.

PayPal's wider process is at fault here too, they've been telling customers that their EV cert
means better security and that they can trust the PayPal web site, but it turns out that this
wasn't actually true.

Also, "customer service" responses to fraud aren't a free lunch. If your friends routinely
fall for web-based PayPal fraud and have to recover the money through some sort of customer
service process, you can be sure that PayPal is ensuring their fees cover that "cost of
fraud". If the company is well run the executives /should/ realise that making the site secure
would be cheaper than paying for escalating rates of fraud, but I'm not comfortable assuming
that an effective monopoly like PayPal thinks that way.

PayPal XSS Vulnerability Undermines EV SSL Security (Netcraft)

Posted May 22, 2008 14:37 UTC (Thu) by clugstj (subscriber, #4020) [Link] 

Thank you, that is exactly what I meant.  They bought the EV cert and touted that it increased
security, but didn't review their code to see if there were any XSS vulnerabilities in it
(apparently).

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds