According to a security researcher, an unpatched vulnerability in PayPal’s money transfer service could allow attackers to deceive victims into completing attacker-directed transactions with a single click.
Clickjacking, also known as UI redressing, is a method of tricking an unwary user into clicking seemingly harmless webpage elements such as buttons in order to download malware, redirect to dangerous websites, or reveal sensitive information.
This is usually accomplished by overlaying an invisible page or HTML element on top of the visible page, fooling people into believing they are clicking the legitimate page when they are actually clicking the rogue element put on top of it.
“As a result, the attacker is ‘hijacking’ clicks intended for [the legitimate] page and redirecting them to another page, most likely controlled by another application, domain, or both,” wrote security researcher h4x0r dz in a blog post detailing the findings. The problem was reported to PayPal in October 2021, according to h4x0r dz, who spotted it on the “www.paypal[.]com/agreements/approve” endpoint.
The researcher explained, “This endpoint is built for Billing Agreements and should only take billing Agreement Token.” “However, during my extensive testing, I discovered that we can pass another token type, resulting in the theft of funds from [a] victim’s PayPal account.”
This means that an attacker may use an iframe to embed the aforementioned address, allowing a victim already logged into a web browser to transfer funds to an attacker-controlled PayPal account with a single click of a button. Worse, the attack might have had disastrous effects in online portals that employ PayPal for checkouts, allowing the bad actor to deduct arbitrary amounts from consumers’ PayPal accounts.
“There are online businesses that allow you to add balance to your account using PayPal,” h4x0r dz explained. “I can use the same exploit to force the user to add money to my account, or I can leverage this bug to allow the victim to create and pay for my Netflix account!”