PayPal security holes expose customer card data, personal details

[security curmudgeon <jericho () attrition org>]

http://www.scmagazine.com.au/News/321584,paypal-security-holes-expose-customer-card-data-personal-details.aspx

PayPal security holes expose customer card data, personal details
By Darren Pauli on Nov 1, 2012 2:46 PM

Bug bounty failure spurs disclosure.

Dangerous website flaws have been discovered in PayPal that grant 
attackers access to customer credit card data, account balances and 
purchase histories.

The holes - which still exist - were recently discovered by a security 
researcher.

One of the holes was publicly disclosed after a failed effort in July to 
responsibly disclose them under PayPal's bug bounty program.

Neil Smith from Texas-based outfit Zing Checkout found that attackers 
could log into publicly-accessible PayPal administrative sites via 
authorisation bypass and cross site scripting (XSS) vulnerability.

[..]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.