TheHackerNews publication reported that a researcher under the nickname h4x0r_dz discovered an uncorrected vulnerability in PayPal, which tricked users into completing malicious transactions with one click. This type of attack is called clickjacking and uses an invisible overlay page or an HTML element displayed on top of the visible page. By clicking on a legitimate page, users actually clicked on an invisible element controlled by attackers.
The expert reported an error within the framework of the reward program for detecting bugs in PayPal seven months ago, demonstrating how an attacker can use clickjacking to steal the victim’s money.
The researcher discovered a vulnerability in the endpoint ” http://www.paypal[.]com/agreements/approve", which is intended for agreements on debiting funds without the owner’s order. The endpoint should only accept billingAgreementToken, but the expert proved the opposite.
“I discovered that it is possible to transfer tokens of another type and use this to steal money from the victim’s PayPal account,” says h4x0r_dz in his message. “An attacker can load an attack-sensitive endpoint paypal.com in an Iframe, and when the victim clicks on any place on the page, her money will be sent to the attacker’s account.”
The vulnerability can also be used to replenish the balance or pay for subscriptions to services that accept PayPal payments.
“There are many online services that allow you to top up your balance using PayPal. Steam or Netflix, for example! I can use an exploit and force the victim to top up my Steam balance or pay for a Netflix subscription!” the researcher added in his message.
And although the expert published an exploit to check the concept of vulnerability, PayPal has not yet fixed it.