Paypal allows what?!

["Dude VanWinkle" <dudevanwinkle () gmail com>]

From: http://news.netcraft.com/archives/2006/06/16/paypal_security_flaw_allows_identity_theft.html

A security flaw in the PayPal web site is being actively exploited by
fraudsters to steal credit card numbers and other personal information
belonging to PayPal users. The issue was reported to Netcraft today
via our anti-phishing toolbar.

The scam works quite convincingly, by tricking users into accessing a
URL hosted on the genuine PayPal web site. The URL uses SSL to encrypt
information transmitted to and from the site, and a valid 256-bit SSL
certificate is presented to confirm that the site does indeed belong
to PayPal; however, some of the content on the page has been modified
by the fraudsters via a cross-site scripting technique (XSS).

The genuine PayPal SSL certificate used by the scam
paypal-ssl.png

When the victim visits the page, they are presented with a message
that has been 'injected' onto the genuine PayPal site that says, "Your
account is currently disabled because we think it has been accessed by
a third party. You will now be redirected to Resolution Center." After
a short pause, the victim is then redirected to an external server,
which presents a fake PayPal Member log-In page. At this crucial
point, the victim may be off guard, as the paypal.com domain name and
SSL certificate he saw previously are likely to make him realise he
has visited the genuine PayPal web site – and why would he expect
PayPal to redirect him to a fraudulent web site?
-----------------------------------------------

Pictures and screenshots available on the link

This one is BAD

-JP<who wonders how long phishers have known about this one>

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.