A security flaw allows hackers to siphon the account PayPal users. A single, seemingly innocuous click is required to authorize an unwanted payment.
A security researcher codenamed h4x0r_dz has discovered a vulnerability in PayPal’s money transfer service.
A simple misdirected click can trigger a payment
According to him, the security flaw can allow hackers to use a technique of clickjacking (click diversion) in order to divert the vigilance of the user. This consists of displaying an interface element which seems legitimate in a web page and which encourages clicking, such as a cross to close a window for example. Overlaying a button leading to a malicious site on a trustworthy UI component is also a way to trick users.
In the case made public by h4x0r_dz, the victim can authorize an unfortunate one-click payment. On the page www.paypal.com/agreements/approve, which acts as an endpoint and is intended to obtain billing agreements, only the billingAgreementToken should be accepted. But in reality, another type of token can be submitted, making possible the clickjacking.
PayPal still hasn’t patched the security flaw
The vulnerability can be exploited in particular when you want to make a payment on a third-party site that accepts PayPal as a means of transaction and therefore returns to the platform via an authentication token. The danger also exists if you are on a web browser on which you have already logged into your PayPal account.
The cybersecurity expert explains that he can very well exploit this security flaw to transfer money to his own PayPal account, or to create a Netflix account by charging a victim of the hack.
He claims to have contacted PayPal to warn them of the existence of this vulnerability in October 2021, but since then it has still not been filled.
On the same subject :
The Predator spyware infected Android smartphones by exploiting a 0-day flaw
Source : The Hacker News
2