A security researcher revealed details about a clickjacking attack against PayPal, which could be used to steal victim’s account balances with a single click.
Clickjacking, also called UI redressing, refers to a technique wherein an unwitting user is tricked into clicking seemingly innocuous webpage elements like buttons with the goal of downloading malware, redirecting to malicious websites, or disclose sensitive information.
This is done by overlaying an invisible page on top of the page. Users are then fooled into believing that the page they clicked was legitimate.
“Thus, the attacker is ‘hijacking’ clicks meant for [the legitimate] page and routing them to another page, most likely owned by another application, domain, or both,” security researcher h4x0r_dz wrote in a post documenting the findings.
h4x0r_dz, who discovered the issue on the “www.paypal[.]com/agreements/approve” endpoint, was awarded a $200,000 bounty for discovering and reporting the issue in October 2021.
“This endpoint is designed for Billing Agreements and it should accept only billingAgreementToken,” the researcher explained. “But during my deep testing, I found that we can pass another token type, and this leads to stealing money from [a] victim’s PayPal account. “
This means that an adversary could embed the aforementioned endpoint inside an iframe, causing a victim already logged in to a web browser to transfer funds to an attacker-controlled PayPal account simply on the click of a button.
Even more concerningly, the attack could have had disastrous consequences on online portals that integrate with PayPal for checkouts, enabling the malicious actor to deduct arbitrary amounts from users’ PayPal accounts.
“There are online services that let you add balance using PayPal to your account,” h4x0r_dz said. “I can use the same exploit and force the user to add money to my account, or I can exploit this bug and let the victim create/pay Netflix account for me! “