PayPal XSS adventure has finally come to an end

Written by DP

Sunday, 8 July 2007

What is wrong with PayPal lately? I am a bit surprised that PayPal was until yesterday vulnerable to that XSS vuln which was submitted by 142TeeTH on the 22th of June... Until early today, no prompt action was taken whatsoever by PayPal. Discovering security vulnerabilities in the largest online payment processor was never too easy - even underestimated ones like XSS. When an actual flaw is discovered, then PayPal is evidently known to delay its fixation for various reasons such as their misunderstanding of what cross-site scripting is. Being one of the biggest internet-based enterprises, surely has got the money and thus the power to tightly secure its infrastructure and assure that its customers' privacy is never at risk.

I am not a big fan of PayPal, but do not hate it either. It is known to be the secure and convenient way of paying online for goods and services. However, its million users make it the fraudsters' favorite online phishing scam. Of course we are not going to demonstrate what you can achieve by exploiting this XSS (this is against PayPal's company policy, and highly unethical as could possibly affect negatively their customers and systems). The possible risks that come from successful exploitation of this XSS, are obvious and of different severities.

A few days ago I received the following rather funny e-mail from eNom:


from                abuse <abuse[4t]>
to                     *.protect[4t]
date                05-Jul-2007 17:02
subject           FW: Phishing domain registered by enom
Your domain name is redirecting to a confirmed phishing website (see URL
below). In order to prevent the possible disabling of your domain name,
please take the necessary steps in order have the abusive content
disbanded. Failure to comply with this request could result in the
placing of a registrar-hold on your domain name, which will block DNS
resolution to this domain. Thank you for your cooperation in this


eNom, Inc.


Apparently someone used the Netcraft anti-phishing toolbar in order to submit the URL of the PayPal XSS mirror.
The funny thing is that Netcraft confirmed it as a phishing site and sent to me this e-mail:


From: Netcraft Phishing Service [mailto:toolbar[4t]]
Sent: Wednesday, July 04, 2007
To: Brad Ba****; NOC; abuse
Cc: phish-isp-alert[4t]
Subject: Phishing domain registered by enom

The URL below has been confirmed by Netcraft as a phishing

We are reporting it to you because there are indications that
the domain in the url is registered by you.  Details:

matching nameserver ""


Fortunately I was not "phished" to believe that the PayPal XSS mirror was a phishing site - despite the fact that this e-mail was sent from "Netcraft Phishing Service" and not "Netcraft Anti-Phishing Service"... :-P

Yesterday I e-mailed back eNom and Netcraft with this subject: "We have been mistakenly listed as phishing website."
PayPal was most likely notified about the issue by Netcraft right away. So the PayPal XSS is not working anymore, and neither of them thanked us for bringing the issues to their attention.

We believe they did not thank us because of the following reason:

If you liked what you just listened to, buy the artists' album/s from Amazon.
Update: Monday, 9 July 2007
Netcraft determined that the mirrors are not blocked. Thank you Netcraft! ;-)

Lastly, we would like to thank the anonymous individual who unwittingly started it all off, because without him, the privacy of the multi-million PayPal users would still be exposed to a stupid XSS.

Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.