Being only 17, and therefore not eligible for the official Bug Bounty Program, German schoolboy Robert Kugler has posted information on a cross-site scripting vulnerability in payment processing service PayPal.

He has pointed out that Paypal servers apparently fail to check strings entered in the German version of the site-wide search field. The result is that it is possible to enter JavaScript in this field, which the server then sends to the browser. The browser then executes this code. Attackers can exploit such cross-site scripting (XSS) vulnerabilities to, among other things, steal access credentials. The issue can be demonstrated by entering ( see the below example ):

"

A simple string is able to bypass PayPal's entry filter and enable attackers to execute arbitrary JavaScript

The English language version of search on PayPal directs users to a different, apparently externally run, search engine. The XSS flaw could though still be of use in attacks on English speakers using PayPal.

Note the fake site as seen below:

Note the XSS trickery - despite a PayPal URL and a valid PayPal certificate, login credentials entered here are sent, not to PayPal, but to The H's German associates at heise.de

The simple attack described by Kugler does not work with WebKit-based browsers (Safari and Chrome), which include an XSS filter. This can, however, be circumvented. Opera, Firefox and Internet Explorer users are vulnerable to the PayPal vulnerability. Mozilla developers are working on their own XSS filter, but development appears to have come to a halt.