A pentester has published a tutorial on how he was able to hijack PayPal accounts by using Flash. He explains that he was capable of hijacking the PayPal accounts by using the “Attach a file” option which is available at the PayPal.com domain. He continues to explain that he uploaded a .SWF file which had an payload attached to it.
The payload looks like this:
<object style=”height:1px;width:1px;” data=”http://victim.com/user/2292/profilepicture.jpg” type=”application/x-shockwave-flash” allowscriptaccess=”always” flashvars=”c=read&u=http://victim.com/secret_file.txt”></object>
He explains that he used the Detectify Blog tutorial to get a better understanding of how to exploit and test the “attach a file” and “upload” modules on websites. The pentester also explains that PayPal is using a crossdomain.xml file which allowed him to upload his payload to any environment which is hosted on the paypal environment.