PayPal has resolved a mirrored cross-website scripting (XSS) vulnerability uncovered in the currency converter aspect of person wallets. 

First disclosed on February 19, 2020, by a bug bounty hunter who goes by the title “Cr33pb0y” on HackerOne, the vulnerability is explained as a “mirrored XSS and CSP bypass” concern. 

The bug was discovered in the forex converter attribute of PayPal wallets on the PayPal world wide web area.

In a constrained disclosure, released on February 10 — shut to a yr just after the researcher noted the challenge privately — PayPal said the bug existed in the currency conversion endpoint and was prompted by a failure to appropriately sanitize user enter. 

A weak URL parameter failed to cleanse up enter which could make it possible for risk actors to inject malicious JavaScript, HTML, or any other code “that the browser could execute,” according to the advisory. 

As a consequence, malicious payloads could bring about in the Document Object Design (DOM) of a browser web page of a sufferer without having their understanding or consent. 

Normally, reflected XSS attacks replicate scripts from a net supply to a browser and may only call for a sufferer to click on on a malicious link to cause. Payloads may perhaps be used to steal cookies, session tokens, or account details, or could be utilised as a phase in wider attacks. 

Adhering to the bug bounty hunter’s disclosure, PayPal has now applied supplemental validation checks and sanitizer controls to regulate consumer enter in the currency trade characteristic and wipe out the bug.

A CVE has not been assigned but the vulnerability has been classified as medium-severity. The researcher was awarded $2,900 as a financial reward. 

Final calendar year, HackerOne released a list of the most impactful and rewarded vulnerability styles documented on the system for the duration of 2020. XSS attacks, incorrect access control, data disclosure, and Server-Aspect Ask for Forgery (SSRF) vulnerabilities secured the major spots. 

Past and similar coverage


Have a suggestion? Get in touch securely by means of WhatsApp | Signal at +447713 025 499, or around at Keybase: charlie0