Over a year ago PayPal were one of the first sites to implement EV SSL, which is the technology that turns your browser address bar green for known safe sites and red for known spoof sites.
The idea behind EV SSL is that users can easily tell if they are on a known safe site and be warned if they’re on a spoof site. That’s no longer the case though, a Finnish researcher Harry Sintonen, has discovered a cross-site scripting vulnerability on PayPal, which bypasses the EV SSL leaving your browser with the green safe known site indicator.
The only indication that something out of the ordinary is occuring is a pop up alert with the message “Is it safe?” which it most certainly is not.
PayPal are working to close the exploit and emphasised that the exploit was not used in any phishing attacks.