According to TheHackerNews, a security researcher known online as h4x0r dz uncovered an unpatched PayPal issue that might allow attackers to deceive customers into completing transactions controlled by the attackers with a single click.
An invisible overlay page or HTML element is presented on top of the visible page in this type of assault. Users are really clicking the element controlled by the attackers that overlays the legitimate content when they click on the legitimate website.
The expert disclosed the problem to PayPal’s bug bounty program seven months ago, demonstrating that an attacker may utilize Clickjacking to steal money from victims.
The vulnerability was detected on the endpoint “www.paypal[.]com/agreements/approve,” which was built for Billing Agreement.
The endpoint should only receive billingAgreementToken, according to the expert, however this is not the case.
The victim should click all over the page to send money to the attacker’s PayPal account.
The flaw may also be used to sign up for services that accept PayPal payments.
“There are online services, such as steam!, that allow you to add balance to your account using Paypal. I can compel the user to add money to my account using the same vulnerability!” according to the researchers’ blog post. “Or I can take advantage of this flaw and have the victim create/pay for my Netflix account!”
The experts provided a proof-of-concept exploit for this flaw, which has yet to be patched, according to the experts.
Until now(writing this article), PayPal did not announce any thing!