A security researcher disclosed aspects of a clickjacking attack shown towards PayPal that could be exploited to steal victims’ account balances in a single simply click.
Clickjacking, also identified as UI redressing, refers to a procedure wherein an unwitting user is tricked into clicking seemingly innocuous webpage aspects like buttons with the objective of downloading malware, redirecting to destructive web-sites, or disclose delicate information.
This is ordinarily attained by displaying an invisible webpage or HTML element on prime of the obvious website page, resulting in a circumstance wherever buyers are fooled into imagining that they are clicking the respectable website page when they are in fact clicking the rogue component overlaid atop it.
“Consequently, the attacker is ‘hijacking’ clicks intended for [the legitimate] web site and routing them to a different webpage, most most likely owned by an additional application, area, or each,” security researcher h4x0r_dz wrote in a put up documenting the results.
h4x0r_dz, who uncovered the issue on the “www.paypal[.]com/agreements/approve” endpoint, was awarded a $200,000 bounty for exploring and reporting the issue in Oct 2021.
“This endpoint is developed for Billing Agreements and it need to settle for only billingAgreementToken,” the researcher spelled out. “But all through my deep screening, I discovered that we can pass a different token kind, and this qualified prospects to thieving funds from [a] victim’s PayPal account.”
This signifies that an adversary could embed the aforementioned endpoint inside of an iframe, causing a victim already logged in to a web browser to transfer funds to an attacker-managed PayPal account only on the click of a button.
Even extra concerningly, the attack could have had disastrous effects on online portals that combine with PayPal for checkouts, enabling the malicious actor to deduct arbitrary amounts from users’ PayPal accounts.
“There are on the web products and services that permit you increase harmony employing PayPal to your account,” h4x0r_dz reported. “I can use the very same exploit and pressure the consumer to incorporate funds to my account, or I can exploit this bug and permit the target develop/pay Netflix account for me!”
Identified this article interesting? Abide by THN on Fb, Twitter and LinkedIn to examine extra distinctive material we put up.
Some components of this report are sourced from: