PayPal Suffered Cross-Site Scripting -XSS Vulnerability – E Hacking News
On February 19, 2020, the vulnerability was first identified as a concern of “reflected XSS and CSP bypass” by a security researcher who goes by the name “Cr33pb0y” – he’s been granted $2,900 in bug bounty programming by HackerOne.
PayPal said that a flaw occurred in the currency conversion endpoint which was triggered by an inability to adequately sanitize user feedback, in a restricted disclosure that was released on February 10 – almost a year after the researcher identified the problem privately.
Typically, XSS attacks represent a browser’s script from a specific website and can enable a target to click a malicious connection. Payloads can be used as a theft point in larger attacks or for the stealing of cookies, session tokens, or account information. PayPal has now carried out further validation tests to monitor users’ feedback in the currency exchange function and wipe out errors following the disclosure of the bug bounty hunter.
XSS bugs are a frequent hacker attack vector. Several recent leaks of data have been related to bugs like what some analysts claim is an XSS flaw.
While telling that the vulnerability has been fixed, PayPal said, “by implementing additional controls to validate and sanitize user input before being returned in the response.”