Home>Blog>The Hacker News Headlines>PayPal Pays a Hacker $200,000 for Discovering ‘One-Click-Hack’ Vulnerability
The Hacker News Headlines

PayPal Pays a Hacker $200,000 for Discovering ‘One-Click-Hack’ Vulnerability

A security researcher disclosed details of a clickjacking attack
demonstrated against PayPal that could be exploited to steal
victims’ account balances in a single click.

Clickjacking, also called UI redressing[1], refers to a technique
wherein an unwitting user is tricked into clicking seemingly
innocuous webpage elements like buttons with the goal of
downloading malware, redirecting to malicious websites, or disclose
sensitive information.

This is typically achieved by displaying an invisible page or
HTML element on top of the visible page, resulting in a scenario
where users are fooled into thinking that they are clicking the
legitimate page when they are in fact clicking the rogue element
overlaid atop it.

“Thus, the attacker is ‘hijacking’ clicks meant for [the
legitimate] page and routing them to another page, most likely
owned by another application, domain, or both,” security researcher
h4x0r_dz wrote[2]
in a post documenting the findings.

h4x0r_dz, who discovered the issue on the
“www.paypal[.]com/agreements/approve” endpoint, was awarded a
$200,000 bounty for discovering and reporting the issue in October
2021.

“This endpoint is designed for Billing Agreements and it should
accept only billingAgreementToken,” the researcher explained. “But
during my deep testing, I found that we can pass another token
type, and this leads to stealing money from [a] victim’s PayPal
account.”

CyberSecurity

This means that an adversary could embed the aforementioned
endpoint inside an iframe[3], causing a victim
already logged in to a web browser to transfer funds to an
attacker-controlled PayPal account simply on the click of a
button.

Even more concerningly, the attack could have had disastrous
consequences on online portals that integrate with PayPal for
checkouts, enabling the malicious actor to deduct arbitrary amounts
from users’ PayPal accounts.

“There are online services that let you add balance using PayPal
to your account,” h4x0r_dz said. “I can use the same exploit and
force the user to add money to my account, or I can exploit this
bug and let the victim create/pay Netflix account for me!”

References

  1. ^
    UI
    redressing     (en.wikipedia.org)
  2. ^
    wrote
    (medium.com)
  3. ^
    iframe
    (en.wikipedia.org)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.