PayPal is a digital currency service used globally by many users, especially those who work independently or businesses that want to offer various forms of payment. However, since the end of last year, a cybersecurity researcher found a flaw in the money transfer system, which remains unsolved until now. Find out all the details in the following article.
Clickjacking is the technique used in the PayPal flaw
Until the day of the publication of this article, the flaw has not been resolved and PayPal has not given an official statement. The cybersecurity researcher, known by his nickname: h4x0r_dz, reported the flaw found at “www.paypal[.] Com / agreements / approve” endpoint in October 2021. He also confirmed on his channel that he informed the company of said bug but they have not released a statement.
The technique they are using is known as Clickjacking and UI redressing; it is used to trick users into clicking on elements of the site that seem harmless but end up installing malware that redirects them to dangerous sites or to obtain sensitive information. The best way to achieve this is to place an invisible page or HTML element on top of the official site, which tricks the user into thinking they are clicking through the known site, but, in fact, it is the element posted by cybercriminals.
“Thus, the attacker is ‘hijacking’ clicks meant for [the legitimate] page and routing them to another page, most likely owned by another application, domain, or both,” the security researcher wrote in a post documenting the findings. “This endpoint is designed for Billing Agreements, and it should accept only billingAgreementToken,” it was explained. “But during my deep testing, I found that we can pass another token type, and this leads to stealing money from [a] victim’s PayPal account.”
This attack can have disastrous consequences, especially on sites that have integrated the PayPal service to pay for purchases or services. As h4x0r_dz explains: “There are online services that let you add balance using PayPal to your account, I can use the same exploit and force the user to add money to my account, or I can exploit this bug and let the victim create/pay a Netflix account for me!”
So far, PayPal remains silent, and the investigator has not received a single bug bounty, which is what normally happens when flaws are discovered that escape the company’s cybersecurity teams.
Keep in touch with our blog to read the latest news and innovations in the cybersecurity world.
Photo by Muhammad Asyfaul on Unsplash.
Facebook: Eagle Tech Corp
LinkedIn: Eagle Tech
YouTube: Eagle Tech Corp