NEW BUG THAT ALLOWS ATTACKERS TO STEAL IDENTIFIED.
People around the world extensively use PayPal for money transfers. The heavy online traffic with billions of dollars constantly on the move is a great temptation for scammers. Every day new tricks are devised to fleece people of their hard earned cash.
According to new findings by a security researcher, there is an unpatched vulnerability in PayPal’s money transfer service which allows attackers to introduce malware and trick users into clicking a link provided by the attacker. Once the user unwittingly clicks a link the attacker generated transaction takes place and the user is deprived of his money.
This technique is referred to as Clickjacking or UI Redressing. It operates on the theme of coaxing a user to click a seemingly benign button or link resulting in downloading a malware. The rest of the actions like redirecting to malicious websites or disclosure of sensitive information, is performed by the malware. The malware achieves this by displaying an invisible page or HTML element on top of the visible page. The user is led to believe that he is clicking the real page when, in fact, he is operating on the invisible rogue element sitting on top of the visible but inactive page.
This means that the attacker reroutes the clicks to a page of his choice where actions of their liking could be generated. The user unknowingly lands on a page that is owned and operated by another domain or application. These findings were reported by security researcher who identifies himself as h4x0r_dz. The researcher discovered problem while he was studying “www.paypal.com/agreements/approve” endpoint. He has reported the discovery to the security team at PayPal.
The researcher said, “This endpoint is designed for Billing Agreements and it should accept only billing agreement token. But during my deep testing, I found that we can pass another token type, and this leads to stealing money from a victim’s PayPal account.”
This implies that the attacker could embed the endpoint inside a iframe that sits invisibly on top of a legitimate page. All operations are done on this page while the real page is rendered idle and inactive. This forces the user to transfer funds to an attacker-controlled PayPal account by a simple click on a button.
Even more alarming is the fact that the flaw could have had far-reaching consequences in websites that integrate with PayPal for checkouts. This could enable threat actors to transfer huge amounts from PayPal accounts of users into accounts they use for such operations.
The researcher, h4x0r_dz, has issued a stark reminder, “There are online services that let you add balance using PayPal to your account. I can use the same exploit and force the user to add money to my account, or I can exploit this bug and let the victim create/pay Netflix account for me!”