A serious scripting error has been discovered on PayPal that could enable attackers to create convincing spoof pages that steal users’ authentication credentials..

The cross-site scripting bug is made all the more critical because it resides on a page that uses an extended validation secure sockets layer certificate. The new-fangled SSL mechanism is designed to give users a higher degree of confidence that the page they’re visiting is secure by turning their browser address bar green.

But Finnish researcher Harry Sintonen figured out a way to inject his own code into a supposedly protected PayPal page even as the green bar lulled visitors into believing it hadn’t been tampered with.

U.S. consumers have the least “green” habits in the world in terms of energy use, transportation, travel, and goods, according to National Geographic and polling firm GlobeScan.

Blame the American appetite for large, two-car, gadget-packed homes located far from work, along with a general disregard for conservation and eco-friendly products, the report says.

The Greendex results, released Wednesday, are based on online surveys taken earlier this year examining the shopping habits and attitudes of 14,000 consumers in 14 countries.

Spanish police have arrested five people suspected of hacking into or outright disabling thousands of Internet pages, some of them run by government agencies in the U.S., Latin America and Asia, authorities said Saturday.

The National Police said the suspects belonged to one of the most active hacker groups on the Internet and said two of the suspects are 16 years old. The others are 19 or 20.

On the Internet, the group calls itself D.O.M Team, police said.

One of the group’s techniques was to infiltrate Web sites and insert a page of its own, police said.

The group attacked some 21,000 Web pages over the last two years, police said in a statement. The five were arrested this week in Barcelona, Burgos, Malaga and Valencia.

The statement did not identify which government Web sites the suspects are accused of tampering with.

The Spanish newspaper El Mundo reported in March that the group had infiltrated NASA’s Web page. A police official said Saturday she could not confirm this, and she refused to specify which sites had been hit. The official spoke on condition of anonymity in line with department rules.