WHID 2006-36: PayPal Flaw Gets Accidental Two-Year Reprieve?

While XSS vulnerabilities in public web sites are found daily, this one is of special interest. It was found in one of the sites most targeted by Phishers, it is exploitable for Phishing and was exploited. On top of that, it seems to have been discovered and reported to PayPal already two years ago but ignored due to a communication failure.

Additional information:

• PayPal Security Flaw allows Identity Theft [Netcraft, Jun 16 2006]
• PayPal XSS Exploit available for two years? [Netcraft, Jul 20 2006]
• PayPal fixes phishing hole [News.com, Jun 16 2006]
• Responsible Disclosure? - Paypal vulnerable for two years [Computer World, Jul 20 2006]