A security researcher declared the discovery of an unpatched flaw in PayPal that could allow attackers to steal money from users with one click.
Earlier, the expert reported the bug to the PayPal bug bounty program, demonstrating that attackers can steal users’ money by exploiting Clickjacking.
Clickjacking is also known as a “UI redress attack”. When an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top-level page.
According to the expert, “The attacker is “hijacking” clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both”.
“I found that an attacker can steal money from Paypal accounts, Clickjacking on https://www.paypal.com/agreements/approve”, according to the post published by the researcher.
This endpoint is meant for “Billing Agreements” and it should accept only billingAgreementToken. But after the testing, it was found that it can pass another tokens type, and thus leads to stealing money from the victim’s PayPal account.
As you click, you will send money to the attacker’s PayPal. Also, the attacker address will be injected as the default billing.
Attacker injected billing address will be the default one on the victim’s PayPal account. The experts published a PoC exploit for this issue, which according to the expert has yet to be patched. “There are online services that let you add balance using Paypal to your account for example steam! I can use the same exploit and force the user to add money to my account!” reads the post published by the researchers. “Or I can exploit this bug and let the victim create/pay Netflix account for me!”.