New unpatched bug could allow PayPal Money Theft

A security researcher claims to have found a bug in PayPal’s money transfer service that hasn’t been fixed yet. This bug could let attackers trick victims into sending money to them without their knowledge with just one click.

Clickjacking, also known as UI redressing, is a method in which an unsuspecting user is tricked into clicking seemingly harmless webpage elements, like buttons, in order to download malware, send them to malicious websites, or get them to reveal sensitive information.

Most of the time, this is done by putting an invisible page or HTML element on top of the visible page. This makes users think they are clicking on the real page when they are actually clicking on the bad element that is on top of it.

“So, the attacker is ‘hijacking’ clicks meant for [the legitimate] page and sending them to another page, which is probably owned by another application, domain, or both,” security researcher h4x0r dz wrote in a post about the findings.

The problem was found on the “www.paypal.com/agreements/approve” endpoint by h4x0r dz, who said he told the company about it in October 2021.

“This endpoint is for Billing Agreements, and it should only accept billingAgreementToken,” the researcher said. “But during my deep testing, I found that we can pass another type of token, which lets us steal money from a victim’s PayPal account.”

This means that an attacker could put the mentioned endpoint inside an iframe, causing a victim who is already logged in to a web browser to transfer funds to an attacker-controlled PayPal account with the click of a button.

Even scarier, the attack could have caused a lot of trouble for online stores that use PayPal for checkouts because it would have let the bad guy take money out of people’s PayPal accounts.

“You can use PayPal to add money to your account through online services,” h4x0r dz said. “I can use the same exploit to force the user to add money to my account, or I can use this bug to let the victim create and pay for my Netflix account!”

Leave a Comment

close