IE, Chrome, Safari duped by bogus PayPal SSL certificate
Published October 26, 2009
by The Register
A hacker has created a counterfeit security certificate that tricks Microsoft Internet Explorer, Apple Safari for Windows, and Google Chrome into thinking a bogus PayPal payment page is the real thing. Mozilla Firefox is not vulnerable to this exploit.
The certificate exploits a security hole in a Microsoft application programming interface known as the CryptoAPI, which is used by the IE, Google Chrome and Apple Safari for Windows browsers to parse a website's SSL certificates. Even though the certificate is demonstrably forged, it can be used with a previously available hacking tool called SSLSniff to cause all three browsers to display a spoofed page with no warnings, even when its address begins with "https."
Until Microsoft fixes the vulnerability, users of those 3 browers should beware of any links that claim to take them to a secure PayPal page. People should navigate directly to the PayPal site instead, so they know they're not being fooled into giving their information, including bank account numbers, to a hacker.
posted on November 10, 2009 02:22:53 PM new
I only use FireFox. No exceptions! If a site I want to visit will only work on IE, I don't go to that site.
