The vulnerabilities discussed here were also described on the full disclosure mailing list this week. As a preface, I will say that the vulnerability details cannot be confirmed as they are reportedly fixed and PayPal is not commenting. Here is what I can say about the class of vulnerabilities in general.
Cross-site scripting issues such as the ones reported in PayPal are extremely common throughout the Internet as well as in internally deployed web applications. This type of vulnerability exists when the system includes user input in a web page without sanitizing the data first. The end result is that a malicious user can trick the web page into unintentionally sending new content which executes in the web browser as if it were authentic code from the web page. In the case of a persistent cross site scripting such as what was claimed by vulnerability lab, the attacker is able to cause new code to be sent to other visitors to the web page. In the worst case scenario, an attacker could hijack victim accounts, distribute malware or spy on victims in more subtle ways.
In this particular case however I believe that the researcher reporting the issue has overstated the potential impact by claiming that it could result in session hijacking. As far as I can tell PayPal has done all the right things to mitigate the potential impact of cross-site scripting (XSS) on the PayPal domain. This includes but is not limited to disallowing cookie access from script content and prevention of cross-site request forgery (CSRF).
As far as the open redirect described, this is another common occurrence on the Internet but there is some debate among security researchers as to whether it should really be considered as a security vulnerability. This type of attack would most commonly be used in email or IM phishing attempts. The attacker would send a link which appears to be directed to the PayPal web site but when clicked they would end up on a separate web site. Google’s bug bounty program explicitly states that they do not deem open redirects to be a serious security issue. Here is a quote from their bug bounty program rules:
· URL redirection. We recognize that the address bar is the only reliable security indicator in modern browsers; consequently, we hold that the usability and security benefits of a small number of well-designed and closely monitored redirectors outweigh their true risks."