! The Egyptian security researcher Ebrahim Hegazy in Paypal on the website find a key storage-typeXSSvulnerability that may allow an attacker to steal your login credentials, or even in plaintext format to steal user credit card information! About Paypal Paypal, the continent known as PayPal, are popular with millions of users sought after international trade payment instruments, immediate payment, instant to account. The United States version of the PayPal） SecurePayments payment page SecurePayments is designed for users at any site to buy commodities when used as a security payment verification. ! The user selected the goods after will enter the payment page with the PayPal process, the user must be in this page, enter your credit card related information to complete the payment. Need to fill out information: credit card number, CVV2, expiration date etc. Paypal SecurePayments page using the HTTPS encrypted channel for transmission of user submitted data, protection of user data security. However, security researcher Ebrahim Hegazy said: the attacker can establish a malicious Online Store or is for legitimate shopping site hijacking, and then use the vulnerability to steal user login credentials and credit card information. Exploit attack scenarios: 1. Attacker to build a shopping website or an invasion, the taking of any shopping website; 2. Via Paypal of the vulnerability to modify the“CheckOut”button; 3. Paypal users browse the malicious shopping sites, click on the“payment”button, use your Paypal account to pay,then the user will be redirected to https://Securepayments. Paypal. com, fill in the credit card information; 4. The page is actually a phishing page:ask the victim to enter payment card information to complete the payment; 5. Information input is completed, click the Submit button,complete the payment. In fact, the deal price is not to pay the displayed price 1 0 0$, You pay the amount how much depends entirely on the attackers! The POC demonstration video: Hegazy wonXSSthe type of vulnerability the highest bonus As a white hat security researcher has this vulnerability report to Paypal, but Paypal also has to fix the vulnerability. Based on Hegazy discovered vulnerabilities, PayPal company gave him 7 5 0 dollars reward. It should be noted that this is the PayPal company forXSSvulnerabilities give the highest bonus.