WTF.uzz

One of our readers, Farhan has discovered* that some of websites having PayPal portal for payment are vulnerable and can be exploited using simple JavaScript. The JavaScript bypasses the payment page and redirects the user to download page for products like software or eBooks. He has already informed the PayPal about this issue and they have replied him for submitting the vulnerability. The reply is like this,

Farhan,

Thank you for the notification regarding the vulnerable button implementations on merchant sites.  At this time, we are actively investigating the noted issues within our customers implementations.  All issues will be handled professionally and quickly.  Again we appreciate you bringing this to our attention.

Thank you,

PayPal Site Security

(sitesecurity@paypal.com)

JavaScript is so simple. It just redirect the user by fetching the download page from website’s source code. The download link is in hidden input tag and the name attribute is "return".

javascript:top.location=document.getElementsByName(‘return’)[0].value;javascript:void(0);

Moreover the JavaScript is floating around various blogs and forums. Apart from them a lot of video tutorials are uploaded on YouTube. The infected websites can easily be searched by this Google dork,

"this order button requires a javascript enabled browser"

Google lists a whopping 1,390,000 results. So this number of sites are at risk & easy to be exploited. The internet is flooding with this vulnerability & it’s exploit, but the biggest question is that the PayPal, which is considered the most secure payment service doesn’t get attention till now about this theft.

This vulnerability and post has been submitted by Farhan Ghumra , a computer engineer student from Rajkot, India.

Disclaimer

This blog-post is provided to you as-is basis. The opinions expressed in this post are not those of website/blog owner, Rishi Narang or any other author except the one explicitly mentioned in this blog-post. While this weblog makes every effort to ensure that the contents within are accurate and complete, this weblog makes no representation or warranty, whether express or implied, as to the operation, integrity, availability or functionality of this weblog or as to the accuracy, completeness or reliability of any information on this weblog. Any person who accesses this weblog or relies on the information contained in this weblog does so at their own risk. All data and information provided on this weblog is for informational purposes only.

[*] This bypass technique is already in the wild, and people have written blogs and have shared videos on it. It may not be the first discovery here, but as per the author Farhan, he shares & quotes this discovery as his own research, a little late in time though!