PayPal vulnerability enables cash exfiltration

Threat actors could exploit a new unpatched security flaw in PayPal's money transfer service to facilitate clickjacking attacks, which involve deceiving targets into interacting with webpage elements that trigger malicious activity, reports The Hacker News. Security researcher h4x0r_dz identified the use of the clickjacking technique on the "www.paypal[.]com/agreements/approve" page, which has been reported to PayPal last October. "This endpoint is designed for Billing Agreements and it should accept only billingAgreementToken. But during my deep testing, I found that we can pass another token type, and this leads to stealing money from [a] victim's PayPal account," wrote h4x0r_dz. The findings suggest the possible use of the endpoint within an iframe to enable fund transfers to accounts controlled by threat actors. "There are online services that let you add balance using PayPal to your account. I can use the same exploit and force the user to add money to my account, or I can exploit this bug and let the victim create/pay Netflix account for me!" said the researcher.