Paypal XSSThe Register columns are getting better and better at web security related content.
In one single article, Dan Goodin managed to:

  1. Report an XSS hole in PayPal "safe" area (the wet dream of all XSS kiddies), enabling all sort of profitable scams from credential stealing to automated transactions riding the session of an authenticated user.
  2. Make a very valid point about extended validation SSL certificates being overrated, if not just an expensive joke, because the green bar is more than happy of "certifying" XSS compromised pages as legitimate (obviously): in other words, the perfect phishing works even better if you've got a modern, secure browser supporting EV SSL :)
  3. Deride McAfee's Hacker Safe one more time for its ridiculous stance on XSS vulnerabilities -- OK, that's just beating a dead horse...

Just a little addition of mine: despite PayPal's safe browser nonsense, the browser which can save you from XSS exploitation is only one.

In other news, Remond - The Independent Voice of the Microsoft IT Community, formerly known as the Microsoft Certified Professional Magazine, joined the party of the ASP/MS SQL Server sites SQL Injected to serve JavaScript malware.
Considering the wide coverage this epidemics enjoyed in the past week, I wonder what a "Certified Professional" usually reads aside Microsoft EULAs...

3 Responses to “PayPal XSSed, SQL Injected”

  1. #1 Rafael "g0dkar" Lins says:

    Uh... that's pretty, hm, sort of scary. I always thought it was only a matter of time. And it was :P

    BTW, is it me or you always tell people that NoScript is the solution to XSS, security holes, terrorism, cancer, hunger and other stuff? :P

  2. #2 Giorgio says:

    I'm afraid NoScript is for XSS and other web security holes only.
    For terrorism, cancer, hunger and other stuff, you need to install NoCapitalism :)

  3. #3 Dave says:

    I sent a reply to your email without going to the links you provided. Okay, all right. I give. I don't know what the hell you are talking about saying "PayPal XSSed". Even though I read the article, there is jargon in there that I hate to pursue. I'm a landscape architect. Not a computer guy at all. But, you scared me, just a little, until I took your argument to its logical conclusion: holes in the programming code that a computer nasty can use to feather his or her own "selfish" interests. My gosh, they could be Republicans! Maybe NoScript helps. I'd like to think so.

    So, I'll try NoScript again and learn to use it. Oops! Did I say I am a progressive and I don't like Republicans or capitalists who think they're the only ones who must survive. No? Guess I'm okay in case the NSA read this.

    Take care Programmer,

Bad Behavior has blocked 868 access attempts in the last 7 days.