PayPal XSS Vulnerability Undermines EV SSL Security

A security researcher in Finland has discovered a cross-site scripting vulnerability on paypal.com that would allow hackers to carry out highly plausible attacks, adding their own content to the site and stealing credentials from users.

The vulnerability is made worse by the fact that the affected page uses an Extended Validation SSL certificate, which causes the browser's address bar to turn green, assuring visitors that the site – and its content – belongs to PayPal. Two years ago, a similar vulnerability was discovered on a different page of the PayPal site, which also used an SSL certificate.

PayPal XSS EV SSL Certificate
"Is it safe?" - a message injected on the PayPal website today

Harry Sintonen discovered the vulnerability and announced it to other web application security specialists in an Internet Relay Chat (IRC) channel today. Sintonen told Netcraft that the issue was critical, adding that, "you could easily steal credentials," and, "PayPal says you can trust the URL if it begins with https://www.paypal.com," which is not true in this case.

While SSL certificates do indeed provide a higher level of assurance when it comes to site ownership, they cannot guarantee that a site is free from other security problems – including cross-site scripting. There are concerns that hackers may exploit misunderstandings in the significance of the green address bar for their own benefit, piggybacking off the trust that is instilled by EV certificates. Users need to be aware that a green address bar does not guarantee the origin of a page's contents if there is a cross-site scripting vulnerability on that page.

The vulnerability comes to light only a month after PayPal published a practical approach to managing phishing on their blog, which extols the use of Extended Validation certificates in preventing phishing. The document describes browsers that do not support EV certificates as "unsafe" and announces the company's plans to block customers from accessing their website from the most unsafe browsers.

PayPal was one of the first companies to adopt EV certificates and the company says it has seen noticeably lower abandonment rates on signup flows for Internet Explorer 7 users versus other browsers. According to the document, PayPal believe this correlates closely to user interface changes triggered by their use of EV certificates.

Clinton and Obama XSS Battle Develops

While Clinton and Obama are battling it out in the political arena, security researchers are continuing to find vulnerabilities in the candidates' and supporters' websites. Interestingly, while a typical exploit is to redirect one party's site to their opponent's, the reasons for seeking to discover such vulnerabilities are not always politically motivated.

votehillary-resized.png

Following the recent cross-site scripting attacks against Barack Obama's website, Finnish security researcher Harry Sintonen has published an example of a cross-site scripting vulnerability on votehillary.org.

Sintonen's example submits a POST request to the Vote Hillary website and injects an iframe, causing the site to display the contents of Barack Obama's website. Unlike the Obama incident, which redirected the user's web browser, Sintonen's method retains the votehillary.org URL in the address bar while displaying the opposing website.

Sintonen told Netcraft that he was inspired by the recent Obama attacks and first examined Hillary Clinton's official website at www.hillaryclinton.com. Sintonen did not find any cross-site scripting vulnerabilities on this site, adding that it looked quite secure, but subsequently found XSS opportunities available on the Vote Hillary website. Sintonen lives in Finland and has no strong interest in US politics.

While the example exploits have so far been relatively benign (limited to redirecting a user to the opponent's website, for example), future cross-site scripting vulnerabilities found on political candidate sites have plenty of scope to be much more serious. Obama's and Clinton's websites both accept monetary contributions towards their campaigns, so cross-site scripting vulnerabilities could be leveraged to steal money and identities from supporters.

Sintonen told Netcraft he informed the webmasters of votehillary.org about this cross-site scripting vulnerability two days ago, but has not yet received a response.

Hacker Redirects Barack Obama’s site to hillaryclinton.com

A security weakness in Barack Obama's website has been exploited to redirect visitors to Hillary Clinton's website. Visitors who viewed the Community Blogs section of the site were instead presented with Clinton's website as a result of a cross-site scripting vulnerability.

hillary.png
Barack Obama's visitors were redirected to this site.

A user named Mox, from Liverpool, IL, posted an apparent confession in the Community Blogs section on the Barack Obama website yesterday. The subject of the post was, "I am the one who "hacked" Obamas site."

Mox plays down the matter by saying that all he did was exploit some poorly written HTML code before suggesting that it was a cross-site scripting vulnerability that had been exploited. By allowing users to enter characters such as > and " into their blog URLs, JavaScript could be injected into pages in the Community Blogs section and would be executed by subsequent visitors.

A YouTube clip from zennie62 demonstrates the attack. The clip shows a user clicking on the Community Blogs section of the Barack Obama site, which subsequently causes the browser to redirect to hillaryclinton.com. The author speculates that "Senator Clinton's staffers possibly hired someone to hack into the Barack Obama website system." No evidence is offered to back up this statement.

obama-xss.png
Another vulnerability found on the Barack Obama site.

While Mox states that the original issue has now been fixed, a number of similar vulnerabilities have since been identified and remain unfixed, and are documented on xssed.com, which notes that such vulnerabilities open up opportunities to infect Obama's supporters and site visitors with malware, adware and spyware.

Google Spreadsheets vulnerability exposes IE users’ Gmail, Documents and more

An interesting cross-site scripting (XSS) vulnerability found in the Google Spreadsheets service would have allowed attackers to gain unauthorised access to other Google services, including Gmail and Google Docs.

The vulnerability was discovered by security engineer Billy Rios, and takes advantage of nuances in the way Internet Explorer handles Content-Types for webpages.

Google Spreadsheets XSS

When a spreadsheet is saved and downloaded in CSV format, the Content-Type is set to "text/plain", thereby instructing the client's browser that the document should be treated as plain text. However, if HTML tags are entered into the first cell of the spreadsheet, Internet Explorer detects these tags near the start of the CSV document and instead deduces that it should be treated as HTML. This essentially allowed arbitrary HTML webpages to be served from spreadsheets.google.com, which in turn allowed JavaScript to be executed in the context of the spreadsheets.google.com site. A remote attacker could exploit this weakness by stealing the user's session cookies and hijacking their session.

Rios points out that Google cookies are valid for all google.com sub domains. This means that when a user logs in to Gmail, the Gmail cookie is also valid for other Google services, such as Google Code, Google Docs, Google Spreadsheets, and more. Cross-site scripting vulnerabilities in any of these sub domains can allow an attacker to hijack a user's session and access other Google services as if they were that user.

Google has fixed the vulnerability discovered by Rios and there have been no reports of the vulnerability being exploited by attackers.

Extended Validation certificates and XSS considered harmful

A cross-site scripting vulnerability on the popular SourceForge.net website shows how Extended Validation SSL certificates could be exploited by fraudsters. Piggybacking on the anticipated extra trust instilled by the presence of an EV SSL certificate, arbitrary content could be injected onto the secure page at SourceForge to create a very convincing phishing attack. The green address bar displayed by the web browser would assure users that they are looking at a website that can be trusted, even though the page they are looking at may contain scripts or HTML created by a remote attacker.

ie7-resized.png
The vulnerable page at SourceForge, showing the green address bar and injected JavaScript being executed

Extended Validation SSL certificates were originally created as a direct response to the rise in internet fraud, with additional verification processes reducing the likelihood of erroneously issuing a certificate to an unauthorised party. Modern web browsers treat EV SSL certificates differently to ordinary SSL certificates, typically turning the address bar green to show that a site can be trusted. Once users are conditioned into thinking that green means good, this could prove harmful when an EV SSL site contains a cross-site scripting vulnerability.

The number of EV SSL certificates in use worldwide is still relatively small and has only recently risen above 4,000. SourceForge is a large open source software development website, with a high ranking amongst users of the Netcraft Toolbar, and uses a VeriSign Class 3 Extended Validation SSL certificate for its main secure site at https://sourceforge.net.

firefox-small.png
Nightly builds of Firefox also display the green address bar element

Both Internet Explorer 7 and recent nightly builds of the Mozilla Firefox web browser display a green address bar when accessing the vulnerable page at SourceForge, even when it is used to inject content that may have been created by a fraudster. Netcraft has informed SourceForge about this issue, although the xssed.com mirror, where this vulnerability was first discovered, suggests that it has remained unfixed since last year.

This discovery (believed to be the first documented case of XSS on an EV SSL website) highlights the need to remain wary of web application security, even when delivered with the most secure and trusted option of Extended Validation SSL certificates.

Netcraft offers extensive web application penetration and security testing services to identify vulnerabilities such as cross-site scripting.

Fraudster using phone numbers to receive authentication details

The Bank of Lancaster County is currently being targeted by a phishing attack that does away with the traditional web-based phishing forms. Instead, victims are asked to phone a toll free number to reactivate their card.

The scam is initiated by sending out phishing emails purporting that the victim's VISA card has been deactivated, stating that it may have been used in illegal activities. Rather than clicking on a hyperlink and visiting a website to resolve the problem, this phishing scam asks its victims to call a phone number based in Erie, Pennsylvania. To add credibility to the attack, the email claims that the phone number is toll free, but it is in fact not.

bankoflancaster.png

Stealing credentials via phone remains a relatively rare phishing technique. For scalability, attacks like these are usually carried out by sending emails rather than initiating phone calls, and request that the recipient calls a phone number which purportedly belongs to the bank.

Ironically, phone phishing could prove more effective due to the methods some banks use to combat fraud. Some make automated phone calls to cardholders in the event of suspicious transactions, with the cardholder being prompted to respond by entering personal details before confirming a transaction. In practice, the cardholder has no way of ascertaining that the phone call is really coming from their bank, and expecting the cardholder to trust the automated caller is effectively grooming the bank's customers into falling for phone based phishing attacks.

The Bank of Lancaster County has published an alert advising customers about fraudulent emails that contain phone numbers, which when called, ask for personal information including account passwords and credit card numbers.