PayPal Stored XSS via Request Payment feature or “How to inject a malicious payload remotely into users accounts”
This is the first vulnerability i discovered during the PayPal bug bounty program on the first day of the program, i thought its about time i’d share it with ya all.
An attacker is able to inject and execute a malicious payload on a remote user account without the need to convince the victim to click anything, it only requires the user to login to his PayPal account.
The vulnerability is caused due to the lack of input validation and sanitization of the “Business Name” field.
I was looking for a way to trigger this XSS on a remote user account and found that the payload can also be triggered by sending a Payment request.
These are the steps that were required in order to exploit this issue :
2. The attacker sends a payment request to the victim.
3. Once the user logs in to his account the payment request appears on the “Recent Activities” chart which loads on the main account page.
4. The XSS triggers on the user automatically when it tries to load the attacker business name.
I would like to thank PayPal for the opportunity to participate in this wonderful program and rewarding me for this bug.
**** This bug is already been fixed! ****