Firefox Fends Off PayPal Fraudsters

- 06 October 2009Security

A hacker published a counterfeit (null-prefix) SSL certificate for PayPal

On Monday, a hacker published a counterfeit (null-prefix) SSL certificate for PayPal that exploits a hole in Microsoft browsers to appear legitimate to unsuspecting users of the online payment service.

Internet Explorer, Google Chrome and Apple Safari (for Windows) are all vulnerable because they all use the same Crypto API to parse SSL certificates. Even though the certificate is obviously fraudulent, when used with a hacking tool called SSLSniff it fools all three browsers and displays a spoofed results page without warnings, so users click through happily to a bogus login page with legitimate-looking 'https' credentials. This is the very definition of a 'Man in the Middle' attack and is alarming because thousands of other financial sites rely on this same technology.

Although Microsoft was alerted to the exploit over nine weeks ago, it has yet to issue a fix, and meanwhile, PayPal say they are working on a technical workaround.

Until Microsoft issues a patch we would advise Windows users (Apple, like Mozilla have already plugged the hole) to access the PayPal site using Firefox (versions 3.5 or 3.0.13 or later).

Guardian users will also be pleased to hear that update #14 (issued in August) augments the existing certificate checking features to recognize SSL certificates that have been 'broken' in this particular way, and hence protects against this critical vulnerability.

More information: The Register