PayPal fell victim to a cross-site scripting vulnerability this past week. Basically it would allow hackers to carry out a few tasks such as stealing credentials from users as well as displaying their own content. PayPal, in my opinion, has always done a good job in terms of staying up on security risks over the years, especially given the volume that they run through on a daily basis. I am sure this exploit was probably repaired quickly by PayPal’s technical team but what kind of makes the story interesting to me is the fact that PayPal was running the new EV SSL Certification. You probably have noticed that while you are on a secure website the URL line of your browser will turn Green to say that everything is okay with the website and your transaction. Well, apparently the EV SSL isn’t as bulletproof as everyone once thought. I can remember my partner Greg and I laughing one day at how overrated some of the SSL products are that are on the market today. This is going to be an interesting story to watch…
For the record, I do believe that having an SSL or EV SSL on an e-commerce website is a great idea, it simply doesn’t mean that a website doesn’t have some underlying security issues, etc., the purpose of the SSL, as I have always seen it, is to provide the end user or customer with assurance that the website they are on is legitimate and not a “fraud or redirection”.
Source: PayPal XSS Vulnerability Undermines EV SSL Security – Netcraft
Questions or Comments?