A security researcher asserts that he has uncovered an unpatched flaw in PayPal’s money transfer service. The flaw can allow attackers to deceive victims into inadvertently completing attacker-directed transactions with a single click.
Clickjacking, also goes by the name UI redressing, refers to a method wherein an unaware user is tricked into clicking what appears to be a harmless webpage, but malware is downloaded onto the system or redirects to malicious websites or reveals sensitive information.
The attackers use a hidden page or HTML element over the visible page which gives the impression to the user that they are clicking on a legitimate page. bUt the user is clicking on a corrupt element which exists underneath the link.
“Thus, the attacker is ‘hijacking’ clicks meant for [the legitimate] page and routing them to another page, most likely owned by another application, domain, or both,” security researcher h4x0r_dz wrote in a post documenting the findings.
h4x0r_dz, who discovered the issue on the “www.paypal[.]com/agreements/approve” endpoint, said the issue was reported to the company in October 2021.
“This endpoint is designed for Billing Agreements and it should accept only billingAgreementToken,” the researcher explained. “But during my deep testing, I found that we can pass another token type, and this leads to stealing money from [a] victim’s PayPal account.”
It can be used by an attacker to plant the endpoint above inside an iframe; the invisible endpoint can lead to a victim who is already logged in to a web browser to transfer, by the click of a button, funds to a PayPal account controlled by an attacker.
Even more concerningly, the attack could have had disastrous consequences in online portals that integrate with PayPal for checkouts, enabling the malicious actor to deduct arbitrary amounts from users’ PayPal accounts.
“There are online services that let you add balance using PayPal to your account,” h4x0r_dz said. “I can use the same exploit and force the user to add money to my account, or I can exploit this bug and let the victim create/pay Netflix account for me!”