• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
paypal pays a hacker $200,000 for discovering 'one click hack' vulnerability

PayPal Pays a Hacker $200,000 for Discovering ‘One-Click-Hack’ Vulnerability

You are here: Home / General Cyber Security News / PayPal Pays a Hacker $200,000 for Discovering ‘One-Click-Hack’ Vulnerability
May 23, 2022

A security researcher disclosed aspects of a clickjacking attack shown towards PayPal that could be exploited to steal victims’ account balances in a single simply click.

Clickjacking, also identified as UI redressing, refers to a procedure wherein an unwitting user is tricked into clicking seemingly innocuous webpage aspects like buttons with the objective of downloading malware, redirecting to destructive web-sites, or disclose delicate information.

This is ordinarily attained by displaying an invisible webpage or HTML element on prime of the obvious website page, resulting in a circumstance wherever buyers are fooled into imagining that they are clicking the respectable website page when they are in fact clicking the rogue component overlaid atop it.

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


“Consequently, the attacker is ‘hijacking’ clicks intended for [the legitimate] web site and routing them to a different webpage, most most likely owned by an additional application, area, or each,” security researcher h4x0r_dz wrote in a put up documenting the results.

h4x0r_dz, who uncovered the issue on the “www.paypal[.]com/agreements/approve” endpoint, was awarded a $200,000 bounty for exploring and reporting the issue in Oct 2021.

“This endpoint is developed for Billing Agreements and it need to settle for only billingAgreementToken,” the researcher spelled out. “But all through my deep screening, I discovered that we can pass a different token kind, and this qualified prospects to thieving funds from [a] victim’s PayPal account.”

CyberSecurity

This signifies that an adversary could embed the aforementioned endpoint inside of an iframe, causing a victim already logged in to a web browser to transfer funds to an attacker-managed PayPal account only on the click of a button.

Even extra concerningly, the attack could have had disastrous effects on online portals that combine with PayPal for checkouts, enabling the malicious actor to deduct arbitrary amounts from users’ PayPal accounts.

“There are on the web products and services that permit you increase harmony employing PayPal to your account,” h4x0r_dz reported. “I can use the very same exploit and pressure the consumer to incorporate funds to my account, or I can exploit this bug and permit the target develop/pay Netflix account for me!”

Identified this article interesting? Abide by THN on Fb, Twitter  and LinkedIn to examine extra distinctive material we put up.


Some components of this report are sourced from:
thehackernews.com

Previous Post: «Cyber Security News Anonymous Declares Cyber-War on Pro-Russian Hacker Gang Killnet
Next Post: Ransomware Hackers Steal Personal Data of 500,000 Students and Staff in Chicago Cyber Security News»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Italy’s Privacy Watchdog Blocks ChatGPT Amid Privacy Concerns
  • Modular “AlienFox” Toolkit Used to Steal Cloud Service Credentials
  • New Azure Flaw “Super FabriXss” Enables Remote Code Execution Attacks
  • Winter Vivern APT Targets European Government Entities with Zimbra Vulnerability
  • MongoDB CISO: Don’t be afraid to simplify important issues for executives
  • Cyber Police of Ukraine Busted Phishing Gang Responsible for $4.33 Million Scam
  • Deep Dive Into 6 Key Steps to Accelerate Your Incident Response
  • Lazarus blamed for 3CX attack as byte-to-byte code match discovered
  • New Cylance Ransomware strain emerges, experts speculate about its notorious members
  • 3CX Supply Chain Attack — Here’s What We Know So Far

Copyright © TheCyberSecurity.News, All Rights Reserved.