One Prosper lender showed he was able to change the displayed credit grade and DTI ratio of a borrower listing by introducing a style sheet in the listing description.
In other cases, XSS vulnerabilities have been used to:
- allow an attacker to run code on a user's machine without their knowledge after visiting the infected page
- trick the user into sending their username and password to the attacker by altering the original webpage
- allow the attacker to steal the user's cookie which could enable the attacker to login as the user
According to Prosper, "there are no known cases of hackers exploiting these vulnerabilities to date." Prosper will release a patch this weekend to fix the vulnerability.