PayPal closes potential flaw in login pages

By Andrew Charlesworth
23 Mar 2012 View Comments
Password login security screen

PayPal has closed a potentially serious security hole on its site, which cyber criminals could have used to steal passwords belonging to users of the online payment service.

Associates at the Heise Security website informed PayPal of the cross site scripting (XSS) vulnerability after it was spotted by one of their readers.

Further reading

According to Heise, the problem affected SSL-encrypted pages at, where customers log in to make payments.

The search function was not filtering user input correctly, which meant malicious code could be injected into PayPal pages via a crafted URL, hijacking the login pages to harvest usernames and passwords.

XSS vulnerabilities in web applications are half as likely to exist in software as they were four years ago, according to IBM's X-Force 2011 Trend and Risk Report, published yesterday.

Reader comments
blog comments powered by Disqus
Windows 10 - will you upgrade?

Microsoft has made an early version of Windows 10 - its next operating system - available for download. The OS promises better integration and harmonisation across platforms, including mobile and desktop. Will your business be upgrading?

37 %
27 %
15 %
21 %