Feb 14 2021

PayPal addresses reflected XSS bug in user wallet currency converter

Category: Web SecurityDISC @ 11:49 am

PayPal has fixed a reflected cross-site scripting (XSS) vulnerability that was discovered in the currency converter feature of user wallets on February 19, 2020, close one year ago.

The ‘reflected XSS and CSP bypass’ vulnerability was reported by the bug bounty hunter “Cr33pb0y” through the HackerOne platform.

“An endpoint used for currency conversion was found to suffer from a reflected XSS vulnerability, where user input was not being properly sanitized in a parameter in the URL. This could lead to a malicious user injecting malicious JavaScript, HTML, or any other type of code that the browser may execute. The malicious script will execute in the browser page DOM of another user typically without their knowledge or consent.” reads the summary published by PayPal.

PayPal has implemented additional validation checks and sanitizer controls for user input in the currency exchange feature before being returned in the response.

According to PayPal, the flaw resided in the currency conversion endpoint and was caused by a failure to properly sanitize the input in a parameter in the URL. 

An attacker could have exploited the flaw to inject malicious code (JavaScript, HTML, or any other language) that will be executed within the browser. 

Tags: wallet currency converter, XSS bug

Leave a Reply

You must be logged in to post a comment. Login now.