Serious PayPal Flaw Disclosed

A security flaw within the PayPal Web site is posing a serious threat to its users, security firm Netcraft said Friday. The credit card numbers and personal information of those duped by attackers is at risk through a cross-site scripting attack.

A fraudster tricks the user into divulging information by asking them to visit an actual PayPal URL. Since this is hosted by the company, it would appear as if information is encrypted through the company's own SSL certificates. However, through cross-site scripting, some of the information on the accessed page has been modified.

The faked page claims that the user's account has been disabled due to "third-party access," much like the current PayPal scams. But this one is very different, as the page that says this appears to be an actual PayPal page.

The user would then be redirected to a external server, but could be caught off guard and continue to enter personal information.

"The paypal.com domain name and SSL certificate he saw previously are likely to make him realize he has visited the genuine PayPal web site - why would he expect PayPal to redirect him to a fraudulent web site?" Netcraft's Paul Mutton said.

A user would then disclose their username and password, and be asked to enter further information to verify their identity. According to Netcraft, the page also asks for a social security number, credit card number, expiration date, card verification number and ATM PIN.

Netcraft said that its anti-phishing toolbar has been updated to block access to the external server the user is directed to, which resides in Korea. As of press time, PayPal had not publicly acknowledged or commented on the flaw.