There’s a serious hole blown in PayPal’s security, and there’s very little that PayPal themselves can do to protect users against the exploit.
Internet Explorer, Google Chrome or Apple Safari browsers running on Windows are all affected and the only safe browser is the latest versions of Firefox (version 3.5 or later).
Basically there is a flaw in Microsoft’s CryptoAPI used by many Internet browsers which allows a hacker to display authentic looking pages with https:// URLs. Normally https:// web addresses are secured by SSL certificates, but the flaw allows use of SSL certificates from other sources to be used to replace the PayPal certificate and it’s impossible for the user to spot the difference.
The security flaw was first published in July and Microsoft are yet to release a fix. Until then best practice has to be to use the Firefox browser to access PayPal.
6 Responses