• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
paypal pays a hacker $200,000 for discovering 'one click hack' vulnerability

PayPal Pays a Hacker $200,000 for Discovering ‘One-Click-Hack’ Vulnerability

You are here: Home / General Cyber Security News / PayPal Pays a Hacker $200,000 for Discovering ‘One-Click-Hack’ Vulnerability
May 23, 2022

A security researcher disclosed aspects of a clickjacking attack shown towards PayPal that could be exploited to steal victims’ account balances in a single simply click.

Clickjacking, also identified as UI redressing, refers to a procedure wherein an unwitting user is tricked into clicking seemingly innocuous webpage aspects like buttons with the objective of downloading malware, redirecting to destructive web-sites, or disclose delicate information.

This is ordinarily attained by displaying an invisible webpage or HTML element on prime of the obvious website page, resulting in a circumstance wherever buyers are fooled into imagining that they are clicking the respectable website page when they are in fact clicking the rogue component overlaid atop it.

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


“Consequently, the attacker is ‘hijacking’ clicks intended for [the legitimate] web site and routing them to a different webpage, most most likely owned by an additional application, area, or each,” security researcher h4x0r_dz wrote in a put up documenting the results.

h4x0r_dz, who uncovered the issue on the “www.paypal[.]com/agreements/approve” endpoint, was awarded a $200,000 bounty for exploring and reporting the issue in Oct 2021.

“This endpoint is developed for Billing Agreements and it need to settle for only billingAgreementToken,” the researcher spelled out. “But all through my deep screening, I discovered that we can pass a different token kind, and this qualified prospects to thieving funds from [a] victim’s PayPal account.”

CyberSecurity

This signifies that an adversary could embed the aforementioned endpoint inside of an iframe, causing a victim already logged in to a web browser to transfer funds to an attacker-managed PayPal account only on the click of a button.

Even extra concerningly, the attack could have had disastrous effects on online portals that combine with PayPal for checkouts, enabling the malicious actor to deduct arbitrary amounts from users’ PayPal accounts.

“There are on the web products and services that permit you increase harmony employing PayPal to your account,” h4x0r_dz reported. “I can use the very same exploit and pressure the consumer to incorporate funds to my account, or I can exploit this bug and permit the target develop/pay Netflix account for me!”

Identified this article interesting? Abide by THN on Fb, Twitter  and LinkedIn to examine extra distinctive material we put up.


Some components of this report are sourced from:
thehackernews.com

Previous Post: «Cyber Security News Anonymous Declares Cyber-War on Pro-Russian Hacker Gang Killnet
Next Post: Ransomware Hackers Steal Personal Data of 500,000 Students and Staff in Chicago Cyber Security News»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Cybercriminals Using New ASMCrypt Malware Loader Flying Under the Radar
  • Lazarus Group Impersonates Recruiter from Meta to Target Spanish Aerospace Firm
  • Post-Quantum Cryptography: Finally Real in Consumer Apps?
  • Microsoft’s AI-Powered Bing Chat Ads May Lead Users to Malware-Distributing Sites
  • Progress Software Releases Urgent Hotfixes for Multiple Security Flaws in WS_FTP Server
  • Cisco Warns of Vulnerability in IOS and IOS XE Software After Exploitation Attempts
  • GitHub Repositories Hit by Password-Stealing Commits Disguised as Dependabot Contributions
  • China’s BlackTech Hacking Group Exploited Routers to Target U.S. and Japanese Companies
  • The Dark Side of Browser Isolation – and the Next Generation Browser Security Technologies
  • China-Linked Budworm Targeting Middle Eastern Telco and Asian Government Agencies

Copyright © TheCyberSecurity.News, All Rights Reserved.