A resourceful hacker was able to create a fake PayPal account to gather sensitive financial information that bypassed Microsoft Internet Explorer, Apple Safari, and Google Chrome security. The hack was designed to pop up a PayPal page with an artificial SSL certificate prompting users to submit sensitive information to the hacker without warning.
Noticeably missing from the list is Mozilla Firefox, which does not seem to be affected by the hack. Dan Gooden of The Register stated that “Even though the certificate is demonstrably forged, it can be used with a previously available hacking tool called SSL Sniff to cause all three browsers to display a spoofed page with no warnings, even when its address begins with ‘http.’”
To make matters worse, Microsoft apparently knew about this problem back in June when a hacker attending the Black Hat Security Convention exploited the weakness. A spokesman from Microsoft stated “Microsoft is investigating a vulnerability in SSL in Windows presented during Black Hat, Once we’re done investigating, we will take appropriate actions to protect customers.” Until the issue is resolved experts recommend that anyone using PayPal go to the site directly rather than risk getting duped into putting your information of a fake web page.
(Via Seattle Pi)
Read More →