A security flaw within the PayPal Web site is posing a serious threat to its users, security firm Netcraft said Friday. The credit card numbers and personal information of those duped by attackers is at risk through a cross-site scripting attack.
A fraudster tricks the user into divulging information by asking them to visit an actual PayPal URL. Since this is hosted by the company, it would appear as if information is encrypted through the company's own SSL certificates. However, through cross-site scripting, some of the information on the accessed page has been modified.
The faked page claims that the user's account has been disabled due to "third-party access," much like the current PayPal scams. But this one is very different, as the page that says this appears to be an actual PayPal page.