A security researcher, named h4x0r_dz, claims to have found an unpatched vulnerability in the money transfer service provided by PayPal. If exploited, this vulnerability might enable attackers to deceive victims into unintentionally completing transactions directed by the attacker with a single click, also known as Clickjacking.
According to the security researcher, the attacker is “hijacking” clicks that are destined for the legal website and directing them to another page, which is most likely controlled by another application, domain, or both.
Clickjacking is a technique that is sometimes referred to as UI redressing. It is a method in which an unsuspecting user is tricked into clicking seemingly harmless elements on a webpage, such as buttons, with the intention of downloading malicious software, redirecting to malicious websites, or disclosing sensitive information.
This is typically accomplished by displaying an invisible page or HTML element on top of the visible page. This creates a situation in which users are tricked into believing that they are clicking on the correct page when, in reality, they are clicking on the malicious element that has been placed on top of the real page.
H4x0r_dz, who was the one who found the vulnerability on the “www.paypal[. ]com/agreements/approve” endpoint, shares that the issue was reported to the company in October 2021.
The researcher highlighted that since this endpoint is intended for Billing Agreements, it should only take billingAgreementTokens. However, during the extensive testing, he discovered that there is a possibility for passing another token type, which ultimately results in the theft of funds from a victim’s PayPal account.
This indicates that an adversary might embed the aforementioned URL within an iframe, which would cause a victim who was already signed in to a web browser to transfer cash to an attacker-controlled PayPal account with the simple click of a button.
Even more alarming is the possibility that the attack may have resulted in catastrophic outcomes in web portals that interact with PayPal for checkouts. This would have given the malicious actor the ability to take arbitrary sums from the PayPal accounts of the victims.
According to h4x0r_dz, there are online services that enable you to top up your PayPal account with additional funds. The researcher has found a possibility where an attacker can use the same possibility and trick the user to add balance to his account, or exploit this flaw and allow the victim to create/pay for a Netflix account for the attacker, for example. PayPal has not commented on the case yet.