Slashdot Mirror

← Back to Stories (view on slashdot.org)

PayPal Security Flaw Allows Identity Theft

Posted by ryuzaki0 on from the watch-your-back dept.

miller60 writes "Phishing scammers are actively exploiting a security flaw in the PayPal web site to steal credit card numbers belonging to PayPal users. The scam tricks users into accessing a URL hosted on the genuine PayPal site, which presents a valid 256-bit SSL certificate confirming that the site belongs to PayPal. However, some of the content on the page has been modified by the fraudsters via a cross-site scripting technique, and victims are redirected to a spoof site that requests their account details."

4 of 212 comments (clear)

  1. Re:No signature = No liability by goodcow · · Score: 5, Informative

    I think you're forgetting the fact that PayPal also stores checking account information, which is far, far more difficult to get money back from in the event of identity theft.

  2. Re:how?? by shawn443 · · Score: 5, Informative

    http://www.acunetix.com/websitesecurity/cross-site -scripting.htm a good example of how.

  3. I've got a fix by Dixie_Flatline · · Score: 5, Informative

    Never follow a link in an email.

    It may be convenient, but in the vast majority of cases I've found that I can navigate from the main page if I know what I'm looking for. You can do basically everything from paypal.com without following the link that takes you directly to a specific page.

  4. The Cross Site Scripting FAQ by mrkitty · · Score: 5, Informative


    http://www.cgisecurity.com/articles/xss-faq.shtml

    --
    Believe me, if I started murdering people, there would be none of you left.