PayPal Mitigates XSS VulnerabilityPatch Issued After Vulnerability Found in an Endpoint Used for Currency Conversion
The PayPal vulnerability was discovered in February 2020 by a security researcher who goes by the name Cr33pb0y, who was paid $2,900 as part of HackerOne's bug bounty program.
The vulnerability was resolved, PayPal says, "by implementing additional controls to validate and sanitize user input before being returned in the response."
XSS vulnerabilities are a common attack vector for hackers.
"Exploitable software vulnerabilities will unavoidably happen, and when they do, some adversaries may be in a position to take advantage of them," says Tim Wade, technical director, CTO Team at threat detection company Vectra. "It’s the nature of the beast and it’s incumbent on organizations to plan for this possibility."
"Vulnerabilities that exploit XSS are often prevalent because they are difficult and time-consuming to test for automatically," says Dirk Schrader, global vice president at cyber security vendor New Net Technologies. "Secure coding techniques are ultra-critical in order to mitigate these vulnerabilities ‘at source’. It’s still the basics that leave most organizations at risk, so core security controls such as vulnerability management, patching and configuration hardening are still going to give the best return for protection vs effort."
In 2019, an independent security researcher found that an XSS bug in Tesla 3's web browser enabled him to hack into the car (see: How a Big Rock Revealed a Tesla XSS Vulnerability).