Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

As an example, an attacker can craft a script that would run within the paypal.com domain name. The script can therefore potentially grab the user paypal session (if the user is already logged in). Otherwise, it can show any information the attacker wants, and to the user this looks like a real trustworthy paypal page. It is running on the paypal.com domain, and the browser shows it's secured and trusted. So for example, it can display the login page and asking to confirm the password, or keylog anything the user presses etc.

This link can be embedded on a different site, or sent via email, and because the link itself points to paypal.com - it is much more likely to be trusted by unsuspecting users.



> This link can be embedded on a different site, or sent via email, and because the link itself points to paypal.com - it is much more likely to be trusted by unsuspecting users.

Doesn't seem like that is the case here. The bug is in the search form, which is POST only. It wouldn't be enough to share the link to the search page, you'd need something that does the search on your behalf.


It doesn't matter that the form is POST only if it doesn't do CSRF checks. (I haven't checked.)


That is not what I am disputing. If there is a bug in paypal's search via POST only, you cannot link to paypal's search. You would need to link to a page you control that performs the POST automatically. If you send a link to the search that only takes parameters via POST, paypal will never receive the payload.


if the paypal search only accept POSTs then you're absolutely right. It won't be as easy as sharing a link. If it happens to also accept GET requests, then it would. I didn't test this.

Note that _if_ the form is already CSRF-protected, then attackers won't easily be able to POST from a different domain either, which would drastically reduce the attack surface.

I didn't test this, but I'm not sure the form is fully CSRF protected though. I tried to explain the potential exploit from this discovered vulnerability. Perhaps I should have stated more clearly that this is more a general comment, and not specific to this particular case.


I'm not sure whether you'd still have access to cookies, but it's entirely feasible to include a script which will then submit the POST request.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: