U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

A flaw in PayPal can allow attackers to steal money from users’ account

A security researcher announced the discovery of an unpatched flaw in PayPal that could allow attackers to steal money from users. TheHackerNews first reported that a security researcher (that goes online with the moniker h4x0r_dz) has discovered an unpatched flaw in PayPal that could allow attackers to trick users into completing transactions controlled by the […]

PayPal hack

A security researcher announced the discovery of an unpatched flaw in PayPal that could allow attackers to steal money from users.

TheHackerNews first reported that a security researcher (that goes online with the moniker h4x0r_dz) has discovered an unpatched flaw in PayPal that could allow attackers to trick users into completing transactions controlled by the attackers with a single click.

This kind of attack leverages an invisible overlay page or HTML element displayed on top of the visible page. Upon clicking on the legitimate page, users are in fact clicking the element controlled by the attackers that overlay the legitimate content.

PayPal hack

The expert reported the bug to the PayPal bug bounty program seven months, demonstating that attacker can steal users’ money by exploiting Clickjacking,

The researcher discovered the vulnerability on the “www.paypal[.]com/agreements/approve” endpoint, which was designed for Billing Agreement.

The endpoint should accept only billingAgreementToken, but the expert discovered that it is not true.

“I found that we can pass another tokens type, and this leads to stealing money from victim’s PayPal account.” reads the post published by the researcher. “as you can see in the picture, the attacker is able to load a sensitive paypal.com endpoint in an Iframe, and when the attacker clicks on “near to click here” He will buy something.”

The victim should click everywhere on the page, and it will send money to the attacker’s PayPal.

The issue could be also exploited to subscribe services that allow PayPal payments.

“there are online services that let you add balance using Paypal to your account for example steam! . I can use the same exploit and force the user to add money to my account!” reads the post published by the researchers. “or I can exploit this bug and let the victim create/pay Netflix account for me !.”

The experts published a PoC exploit for this issue, that according to the expert has yet to be patched.

https://youtu.be/0h85N5Ne_ac

At the time of this writing PayPal has yet to award the bug.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, domain name system)

[adrotate banner=”5″]

[adrotate banner=”13″]