PayPal fixes URL problem used for crime

By Derek Sooman on
PayPal claims to have now fixed a vulnerability on their site that could have allowed malicious attackers to steal credit card information from PayPal users. Obviously something that PayPal wanted to stamp out immediately, the flaw involved a cross-scripting attack and saw targeted users getting an e-mail, purporting to be from PayPal, which directed them to a special URL on the PayPal servers. Once they loaded that page, they were given a message that their account had been disabled, and directed to a non-PayPal server in South Korea, with a fake log-in page. This page then harvested private information from the user, such as credit card and Social Security numbers.

The company claims to have now fixed the problem on their servers, and had the Korean server shut down. What remains unknown is how many, if any, users were tricked by this.

"It's pretty awful, actually," said Gartner analyst Avivah Litan. "There's not much consumers can do except monitor their account and watch for visual cues, or download something like the eBay toolbar which warns you about [phishing] sites."
PayPal is warning its users only to enter personal information relating to PayPal services on URLs that begin with

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.