PayPal XSS Vulnerability Undermines EV SSL Security

A security researcher in Finland has discovered a cross-site scripting vulnerability on paypal.com that would allow hackers to carry out highly plausible attacks, adding their own content to the site and stealing credentials from users.

The vulnerability is made worse by the fact that the affected page uses an Extended Validation SSL certificate, which causes the browser's address bar to turn green, assuring visitors that the site – and its content – belongs to PayPal. Two years ago, a similar vulnerability was discovered on a different page of the PayPal site, which also used an SSL certificate.