Forum Moderators: buckworks
A XSS vulnerability has been detected on Paypals website:
"The vulnerability is made worse by the fact that the affected page uses an Extended Validation SSL certificate, which causes the browser's address bar to turn green, assuring visitors that the site – and its content – belongs to PayPal."
Green bars that cost a lot of money but don't improve security. And the visitor gets the false impression of safety.
A little embarresing for Payal, especially since a short time ago they considered locking out browsers that do not support EV SSL.
Slightly off topic, but I've come across a fair amount of developers who are surprisingly blase about XSS attacks. They tend to see it as just a defacement issue that only affects the person creating the XSS link. But combined with a bit of social engineering an XSS can easily turn into a compromised admin account and other serious problems.
