PayPal stored XSS vulnerability exposed

Bitdefender researchers have located a stored XSS vulnerability in PayPal that leaves the e-payment service open for hackers to upload maliciously crafted files, capable of performing attacks on registered users of the service.

The vulnerability can be used to deliver harmful files or content that enable a wide range of attacks on users to take place.


PayPal’s issue lies in the way it processes and encrypts URLs that transport uploaded files. The proof-of-concept uses an HTML-formatted XML file, which is transferred to the ‘Create an Invoice’ section.

By tampering with the URL that pulls upload files from PayPal’s servers, researches were able to force the execution of a malicious payload on PayPal’s server.

Catalin Cosoi, Chief Security Strategist at Bitdefender said: “The huge reach that cyber attackers had access to through this vulnerability was a worrying development for a service that prides itself on security.”

The stored XSS attack only works in Firefox and, although it has not been reported in the wild, it could have allowed hackers to manipulate PayPal. However, since being advised about the vulnerability, PayPal has issued a fix rendering any attacks exploiting the issue as ineffective.

Creating the proof of concept

After making an XML file that was then uploaded to PayPal’s server, researchers were able to modify the file’s link and perform changes to it which produced an error.

Once the full path to the stored XSS was noted, a second file was then uploaded with a pre-determined file name and divided into blocks of 16.

Because each block could be changed to affect the block that followed, when some bytes were changed, the output looked very different. Researchers was then able to gain a response from PayPal that resulted in a link that could be used for further attacks.

Other attacks could allow for a “reflected file download,” which can create PayPal output files that resemble “~test.bat”. By downloading and executing these files, attackers could trick users into installing malware or other types of threats

Don't miss