A security researcher in Finland has discovered a cross-site scripting vulnerability on paypal.com that would allow hackers to carry out highly plausible attacks, adding their own content to the site and stealing credentials from users.

The vulnerability is made worse by the fact that the affected page uses an Extended Validation SSL certificate, which causes the browser's address bar to turn green, assuring visitors that the site – and its content – belongs to PayPal. Two years ago, a similar vulnerability was discovered on a different page of the PayPal site, which also used an SSL certificate.

"Is it safe?" - a message injected on the PayPal website today

Harry Sintonen discovered the vulnerability and announced it to other web application security specialists in an Internet Relay Chat (IRC) channel today. Sintonen told Netcraft that the issue was critical, adding that, "you could easily steal credentials," and, "PayPal says you can trust the URL if it begins with https://www.paypal.com," which is not true in this case.

While SSL certificates do indeed provide a higher level of assurance when it comes to site ownership, they cannot guarantee that a site is free from other security problems – including cross-site scripting. There are concerns that hackers may exploit misunderstandings in the significance of the green address bar for their own benefit, piggybacking off the trust that is instilled by EV certificates. Users need to be aware that a green address bar does not guarantee the origin of a page's contents if there is a cross-site scripting vulnerability on that page.

The vulnerability comes to light only a month after PayPal published a practical approach to managing phishing on their blog, which extols the use of Extended Validation certificates in preventing phishing. The document describes browsers that do not support EV certificates as "unsafe" and announces the company's plans to block customers from accessing their website from the most unsafe browsers.

PayPal was one of the first companies to adopt EV certificates and the company says it has seen noticeably lower abandonment rates on signup flows for Internet Explorer 7 users versus other browsers. According to the document, PayPal believe this correlates closely to user interface changes triggered by their use of EV certificates.

NaviSite is the most reliable hosting company site for April 2008.

NaviSite was incorporated in 1998 and provides application solutions and hosting services using its web infrastructure platforms in 18 data centers. The company recently announced an alliance with Intel Corporation to offer a suite of managed services through Intel's value added reseller community.

NaviSite's performance is followed by DataPipe, which made 11 appearances in the top ten last year. Last month's most reliable hosting company site, INetU, appears in third place this month.

Three of April's top ten hosting companies, including NaviSite, run Linux on their main sites, while another three use FreeBSD. One company uses Windows Server 2003.

Several SourceForge, Inc sites, including the popular technology news site Slashdot have been offline for several hours today.

All of Netcraft's globally distributed performance monitors have recorded a solid period of downtime at a number of sites hosted in the VA Software netblock. VA Software is the former name of SourceForge, Inc, which hosts all of the affected sites, including Slashdot, the source code repository SourceForge.net, software release site Freshmeat and merchandise supplier ThinkGeek.

Static uptime graph for www.slashdot.org

Netcraft's live monitoring of www.slashdot.org can be seen here, reflecting a contiguous outage of approximately 5 hours.

While Clinton and Obama are battling it out in the political arena, security researchers are continuing to find vulnerabilities in the candidates' and supporters' websites. Interestingly, while a typical exploit is to redirect one party's site to their opponent's, the reasons for seeking to discover such vulnerabilities are not always politically motivated.

Following the recent cross-site scripting attacks against Barack Obama's website, Finnish security researcher Harry Sintonen has published an example of a cross-site scripting vulnerability on votehillary.org.

Sintonen's example submits a POST request to the Vote Hillary website and injects an iframe, causing the site to display the contents of Barack Obama's website. Unlike the Obama incident, which redirected the user's web browser, Sintonen's method retains the votehillary.org URL in the address bar while displaying the opposing website.

Sintonen told Netcraft that he was inspired by the recent Obama attacks and first examined Hillary Clinton's official website at www.hillaryclinton.com. Sintonen did not find any cross-site scripting vulnerabilities on this site, adding that it looked quite secure, but subsequently found XSS opportunities available on the Vote Hillary website. Sintonen lives in Finland and has no strong interest in US politics.

While the example exploits have so far been relatively benign (limited to redirecting a user to the opponent's website, for example), future cross-site scripting vulnerabilities found on political candidate sites have plenty of scope to be much more serious. Obama's and Clinton's websites both accept monetary contributions towards their campaigns, so cross-site scripting vulnerabilities could be leveraged to steal money and identities from supporters.

Sintonen told Netcraft he informed the webmasters of votehillary.org about this cross-site scripting vulnerability two days ago, but has not yet received a response.

The CNN News website has twice been affected since an earlier distributed denial of service attack last Thursday. CNN fixed Thursday's attack by limiting the number of users who could access the site from specific geographical areas.

Subsequently, an attack was purportedly organised to start on Saturday 19th April, but cancelled. However, our performance monitoring graph shows CNN's website suffered downtime within a 3 hour period on Sunday morning, followed by other anomalous activity on Monday morning, where response times were greatly inflated.

Netcraft is continuing to monitor the CNN News website. Live uptime graphs can be viewed here.