Malicious actors could exploit a new unpatched security vulnerability in PayPal's money transfer, a security researcher, named h4x0r_dz, claimed. The security flaw enables attackers to trick victims into unintentionally completing transactions directed by the attacker with a single click, also known as Clickjacking.
Clickjacking, also called UI redressing, refers to a methodology wherein an unsuspecting user is deceived into clicking seemingly harmless webpage elements like buttons with the motive of installing malware, redirecting to malicious websites, or revealing private information.
This kind of assault leverages an invisible overlay page or HTML element displayed on top of the visible page. Upon clicking on the legitimate page, victims are clicking the element controlled by the attackers that overlay the legitimate content.
"Thus, the attacker is 'hijacking' clicks meant for [the legitimate] page and routing them to another page, most likely owned by another application, domain, or both," a security researcher explained in a blog post documenting the findings.
h4x0r_dz reported the bug to the PayPal bug bounty program seven months ago in October 2021, demonstrating that malicious actors can steal users’ money by exploiting Clickjacking. The researcher identified the security flaw on the “www.paypal[.]com/agreements/approve” endpoint, which was designed for the Billing Agreements.
The endpoint should only receive billingAgreementToken, according to the expert, however, this is not the case.
"This endpoint is designed for Billing Agreements and it should accept only billingAgreementToken," the researcher stated. "But during my deep testing, I found that we can pass another token type, which leads to stealing money from [a] victim's PayPal account."
This indicates that an attacker could embed the aforementioned endpoint inside an iframe, causing a victim already logged in to a web browser to switch funds to an attacker-controlled PayPal account merely at the press of a button.
Even more alarming is the possibility that the assault may have resulted in disastrous consequences in online portals that link with PayPal for checkouts, enabling the threat actor to steal arbitrary amounts from customers' PayPal accounts.
"There are online services that let you add balance using PayPal to your account," the researcher added. "I can use the same exploit and force the user to add money to my account, or I can exploit this bug and let the victim create/pay Netflix account for me!"
