Security News > 2022 > May > New Unpatched Bug Could Let Attackers Steal Money from PayPal Users
A security researcher disclosed details of a clickjacking attack demonstrated against PayPal that could be exploited to steal victims' account balances in a single click.
"But during my deep testing, I found that we can pass another token type, and this leads to stealing money from [a] victim's PayPal account."
This means that an adversary could embed the aforementioned endpoint inside an iframe, causing a victim already logged in to a web browser to transfer funds to an attacker-controlled PayPal account simply on the click of a button.
Even more concerningly, the attack could have had disastrous consequences on online portals that integrate with PayPal for checkouts, enabling the malicious actor to deduct arbitrary amounts from users' PayPal accounts.
"There are online services that let you add balance using PayPal to your account," h4x0r dz said.
"I can use the same exploit and force the user to add money to my account, or I can exploit this bug and let the victim create/pay Netflix account for me!".
News URL
https://thehackernews.com/2022/05/paypal-pays-hacker-200000-for.html