PayPal XSS Exploit available for two years?

The cross-site scripting (XSS) vulnerability, which was harnessed by fraudsters to execute a convincing phishing attack against PayPal users, may have been exploitable for two years previously.

Despite the prompt action taken by PayPal to address the security flaw after it was reported by Netcraft last month, it became apparent that the very same flaw had been discovered and documented two years earlier. The page - cached by the Wayback Machine - describes a cross site scripting attack that affected donation pages for suspended users, and is the exact method exploited by the phishing attack in June 2006.

Chris Marlow tried to warn PayPal about the flaw in June 2004, but claims the PayPal representative he spoke to did not understand what cross-site scripting was, and - due to company policy - was unable to provide an email address to allow a proof-of-concept exploit to be demonstrated. Frustrated at being unable to convey the seriousness of the issue, Mr Marlow then posted details about the exploit to his web site but did not receive any response from PayPal.

PayPal fixed the flaw after reports of the phishing attack were published by Netcraft. A PayPal company spokesman initially said that they did not know how many people had fallen victim to the scam, although as the fraud was committed using PayPal's own web site, analysis of log files, if available, would have allowed PayPal to identify users at risk and take appropriate action.

Citibank Fraudsters Defeat Two-Factor Authentication

An ongoing phishing attack against Citibank is using man-in-the-middle tactics to defeat two-factor authentication and gain access to online banking accounts.

The second authentication factor used by Citibank is provided by a security token – a physical item possessed by an account holder – which generates a one-time password that remains valid for approximately one minute. One-time passwords are useless to an attacker if they are captured via keylogging trojans, as they will not work immediately after the victim has used them, nor will the attacker be able to gain access to the victim's account at a later date.

However, by tricking a victim into entering these items of data into a form, the attacker's site can automatically relay the authentication credentials to the real Citibank site instantly. Effectively, this allows the attacker to successfully log in on behalf of the victim.

Guidance issued by the Federal Financial Institutions Examination Council (FFIEC) has called for banks to provide additional protection for high-risk transactions, such as those that involve moving funds or accessing sensitive customer information, but it is now clear that fraudsters are already making efforts to bypass the protection features being added by banks.

The Netcraft Toolbar community has to date reported 35 sites that have used this method to attack Citibank customers. All of the reported sites have used Russian country-code top level domains (.ru), although the hosting location varies from site to site.

Security Threat in CMS Application (Mambo, Joomla)

Potentially serious security flaws have been found in existing versions of the Mambo and Joomla content management systems, and developers of the two projects are advising users to install upgrades or security patches as soon as possible. Both programs are vulnerable to SQL injection attacks, which allow remote attackers to execute commands on the web server in by typing SQL code into form fields. Joomla is a fork of Mambo, with both programs derived from the same code base.

Mambo and Joomla are open source projects which use the PHP scripting language and MySQL database. These applications are popular with web site owners because they are powerful, user-friendly, and can be installed by users with little or no PHP coding experience. They are also frequently targeted by Internet criminals seeking to crack web servers for use in botnets, phishing scams and distributed denial of service (DDoS) attacks. The Internet Storm Center said it is receiving reports that older versions of Mambo are being actively targeted and exploited using unpatched vulnerabilities.

Ideally, user input in web forms is sanitized - checked to ensure that users are not attempting to introduce code to give instructions to the web server. Content management systems typically bring together blogs, forums, news feeds and link directories in a single application, making it easy for webmasters to manage large communities of users. As a result, CMS apps include a large number of forms accepting user input, increasing the likelihood that some form fields may not be properly secured, providing an opportunity for SQL injection attacks.

Open source CMS programs often find and fix security holes promptly. But as is the case with most web software, a significant number of users fail to install security patches in a timely fashion. This provides an opportunity for hackers, who typically use public advisories to identify security flaws in specific programs and files, and then query search engines to locate vulnerable versions of the software.