Due to a security loophole, hackers can hack into PayPal users’ accounts. And all with just one click.
A security researcher h4x0r_dz discovered a vulnerability in PayPal’s money transfer service. This could allow attackers to trick victims into carrying out transactions directed by the attackers without their knowledge. In other words, the attacker “Abduction” clicks intended for a valid page and routes them to another page, “Most likely owned by another application, in another domain or both”, security researcher h4x0r_dz wrote in an article documenting the findings. According to him, the security flaw could therefore allow hackers to use a technology clickjacking To distract the alertness of the user.
clickjacking Or “clickjacking” refers to a technique by which a user is tricked into clicking on seemingly innocuous web page elements, such as buttons. This is for the purpose of downloading malware, redirecting it to malicious websites or leaking sensitive information. In short, the process takes place in three stages.
First, the hacker identifies its target and selects a page that is not protected from this type of attack. So, a page that allows you to perform an action by clicking a link or a button. Then, the attacker embeds this page in a malicious page that he controls. All that’s left is for the victim to click on an element on the page, which is actually a button or link to a malicious site. In other words, hackers display a legitimate-looking interface element on a web page and trick their victim into clicking.
One malicious click, one payment
In case of PayPal defect, h4x0r_dz discovered the problem at the endpoint “www.paypal[.]com/agreement/approval”, “This endpoint is designed for billing agreements and should only accept billing agreement tokens. But during my extensive testing, I found that we can pass another type of token, and this to the victim’s PayPal account. money is stolen”Wrote h4x0r_dz.
Clearly, an attacker could embed the above URL in an iFrame. This allows the victim to transfer money with a single click to a PayPal account controlled by the attacker by already logging into a web browser. That is, an iFrame is the name given to an HTML tag that is used in a computer language to integrate the content of another HTML page into an HTML page. Another worrying point is that attacks on web portals that interact with PayPal for payments could have disastrous consequences. Thus the hackers would have had the possibility to take arbitrary amounts of money from the PayPal accounts of the victims. For example, this flaw could trick the victim into creating and paying for a Netflix account for the attacker.
The researcher also said that he had reported the issue to the company in October 2021. As of now, the bug is still not fixed and there is no reward for reporting the flaw to the security researcher.
Follow Gecko on Facebook, YouTube, and Instagram to never miss any news, tests and tips.
Prone to fits of apathy. Music specialist. Extreme food enthusiast. Amateur problem solver.