Unpatched vulnerability in PayPal’s money transfer service.
Clickjacking tactics used.
Could have disastrous consequences for PayPal checkout portals.
Introduction:
A security researcher discovered an unpatched vulnerability in PayPal’s money transfer service that could allow attackers to trick victims into unknowingly completing attacker-directed transactions with a single click. Clickjacking, also called UI redressing, refers to a technique wherein an unwitting user is tricked into clicking seemingly innocuous webpage elements like buttons with the goal of downloading malware, redirecting to malicious websites, or disclose sensitive information.
Details:
This is typically achieved by displaying an invisible page or HTML element on top of the visible page, resulting in a scenario where users are fooled into thinking that they are clicking the legitimate page when they are in fact clicking the rogue element overlaid atop it. Thus, the attacker is ‘hijacking’ clicks meant for the legitimate page and routing them to another page, most likely owned by another application, domain, or both. The issue was reported to the company in October 2021.
Currently:
This endpoint is designed for Billing Agreements and it should accept only billingAgreementToken. During deep testing they found that they can pass another token type, and this leads to stealing money from a victim’s PayPal account. This means that an adversary could embed the aforementioned endpoint inside an iframe, causing a victim already logged in a web browser to transfer funds to an attacker-controlled PayPal account simply on the click of a button.
Additional Security Info:
Even more concerningly, the attack could have had disastrous consequences in online portals that integrate with PayPal for checkouts, enabling the malicious actor to deduct arbitrary amounts from users’ PayPal accounts.
Closing:
There are online services that let you add balance using PayPal to your account. The same exploit can be used and force the user to add money to my account, or could exploit this bug and let the victim create/pay Netflix account for someone other than themselves.
Reference link for the full story:
New Unpatched Bug Could Let Attackers Steal Money from PayPal Users
This information is brought to you by Vectech Solutions, The Gold Standard in Cybersecurity
#checkoutportals #paypal #clickjacking
