A new unpatched vulnerability might allow attackers to steal money from PayPal users.
A new unpatched vulnerability might allow attackers to steal money from PayPal users. An unpatched weakness in PayPal’s money transfer service, according to a security researcher, might allow attackers to deceive victims into unintentionally executing attacker-directed transactions with a single click.
Clickjacking, also known as UI redressing, is a method in which an unsuspecting user is deceived into clicking seemingly harmless webpage components such as buttons in order to download malware, redirect to dangerous websites, or divulge sensitive information.
This is often accomplished by superimposing an invisible page or HTML element on top of the visible page, causing visitors to believe they are clicking the genuine page while, in reality, they are clicking the rogue element superimposed on top.
“As a result, the attacker is ‘hijacking’ clicks intended for [the legal] page and redirecting them to another page, most likely controlled by another application, domain, or both,” security researcher h4x0r dz said in a blog post describing the results.
The problem was reported to the firm in October 2021 by h4x0r dz, who spotted it on the “www.paypal[.]com/agreements/approve” endpoint.
“This endpoint is intended for Billing Agreements and should only take billingAgreementToken,” stated the researcher. “However, through my extensive testing, I discovered that we may pass another token type, resulting in the theft of money from [a] victim’s PayPal account.”
This implies that an attacker may embed the aforementioned URL within an iframe, allowing a victim who is already signed in to a web browser to transfer cash to an attacker-controlled PayPal account with the click of a button.
Worryingly, the assault might have had devastating effects in web portals that use PayPal for checkout, allowing the bad actor to drain arbitrary sums from victims’ PayPal accounts.
“There are online businesses that allow you to add balance to your account using PayPal,” h4x0r dz explained. “I can use the same attack to compel the user to add money to my account, or I can exploit this problem and allow the victim to create/pay for my Netflix account!”
(Update: The story has been updated to reflect that the flaw remains unpatched and that the security researcher received no bug bounty for reporting the issue.) The inaccuracy has been acknowledged. We’ve also contacted PayPal for further information.)
Have you enjoyed reading this article? To read more exclusive material from THN, follow us on Facebook. A new unpatched vulnerability might allow attackers to steal money from PayPal users.