A security researcher has demonstrated what he claims is a yet-unpatched vulnerability in PayPal that could essentially allow attackers to empty a victim’s PayPal account after tricking them into clicking a malicious link, in what is technically referred to as a clickjacking attack. “The PayPal clickjack vulnerability is unique in that typically hijacking a click is step one to a means of launching some other attack,” Brad Hong, vCISO, Horizon3ai, told Lifewire over email. “But in this instance, with a single click, [the attack helps] authorize a custom payment amount set by an attacker.”
Hijacking Clicks
Stephanie Benoit-Kurtz, Lead Faculty for the College of Information Systems and Technology at the University of Phoenix, added that clickjacking attacks trick victims into completing a transaction that further initiates a host of different activities. “Through the click, malware is installed, the bad actors can gather logins, passwords, and other items on the local machine and download ransomware,” Benoit-Kurtz told Lifewire over email. “Beyond the deposit of tools on the individual’s device, this vulnerability also allows bad actors to steal money from PayPal accounts.” Hong compared clickjacking attacks to the new school approach of those impossible to close popups on streaming websites. But instead of hiding the X to close out, they hide the entire thing to emulate normal, legitimate websites. “The attack fools the user into thinking they are clicking one thing when in actuality it’s something entirely different,” explained Hong. “By placing an opaque layer on top of a click area on a webpage, users find themselves routed to anywhere that’s owned by an attacker, without ever knowing.” After perusing through the technical details of the attack, Hong said it works by misusing a legitimate PayPal token, which is a computer key that authorizes automatic payment methods via PayPal Express Checkout. The attack works by placing a hidden link inside what’s called an iframe with its opacity set of zero on top of an ad for a legitimate product on a legitimate site. “The hidden layer directs you to what might seem like the real product page, but instead, it’s checking to see if you’re already logged into PayPal, and if so, it’s able to directly withdraw money from [your] PayPal account,” shared Hong. He added the one-click withdrawal is unique, and similar clickjacking bank frauds usually involve multiple clicks to trick victims into confirming a direct transfer from their bank’s website.
Too Much Effort?
Chris Goettl, VP of Product Management at Ivanti, said convenience is something attackers always look to take advantage of. “One-click pay using a service like PayPal is a convenience feature that people get used to using and will likely not notice something’s a little off in the experience if the attacker presents the malicious link well,” Goettl told Lifewire over email. To save us from falling for this trick, Benoit-Kurtz suggested following common sense and not clicking links in any type of popups or websites that we didn’t specifically go to, as well as in messages, and emails, that we didn’t initiate. “Interestingly, this vulnerability was reported back in October of 2021 and, as of today, remains a known vulnerability,” pointed out Benoit-Kurtz. We emailed PayPal to ask for their views on the researcher’s findings but haven’t received a response. Goettl, however, explained that although the vulnerability might still not be fixed, it isn’t easy to exploit. For the trick to work, attackers need to break into a legitimate website that accepts payments through PayPal and then insert the malicious content for people to click. “This would likely be found in a short period of time, so it would be a high effort for a low gain before the attack would likely be discovered,” opined Goettl.