© 2021 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

We found PayPal vulnerabilities – but PayPal called them trivial

34

In the news, it seems that PayPal gives a lot of money to ethical hackers that find bugs in their tools and services. In March 2018, PayPal announced that they’re increasing their maximum bug bounty payment to $30,000 – a pretty nice sum for hackers.

On the other hand, ever since PayPal moved its bug bounty program to HackerOne, its entire system for supporting bug bounty hunters who identify and report bugs has become more opaque, mired in illogical delays, vague responses, and suspicious behavior.

When our analysts discovered six vulnerabilities in PayPal – ranging from dangerous exploits that can allow anyone to bypass their two-factor authentication (2FA), to being able to send malicious code through their SmartChat system – we were met with non-stop delays, unresponsive staff, and lack of appreciation. Below, we go over each vulnerability in detail and why we believe they’re so dangerous.

When we pushed the HackerOne staff for clarification on these issues, they removed points from our Reputation scores, relegating our profiles to a suspicious, spammy level. This happened even when the issue was eventually patched, although we received no bounty, credit, or even a thanks. Instead, we got our Reputation scores (which start out at 100) negatively impacted, leaving us worse off than if we’d reported nothing at all.

It’s unclear where the majority of the problem lies. Before going through HackerOne, we attempted to communicate directly with PayPal, but we received only copy-paste Customer Support responses and humdrum, say-nothing responses from human representatives.

There also seems to be a larger issue of HackerOne’s triage system, in which they employ Security Analysts to check the submitted issues before passing them onto PayPal. The only problem – these Security Analysts are hackers themselves, and they have clear motivation for delaying an issue in order to collect the bounty themselves.

Since there is a lot more money to be made from using or selling these exploits on the black market, we believe the PayPal/HackerOne system is flawed and will lead to fewer ethical hackers providing the necessary help in finding and patching PayPal’s tools.

Vulnerabilities we discovered

In our analysis of PayPal’s mobile apps and website UI, we were able to uncover a series of significant issues. We’ll explain these vulnerabilities from the most severe to least severe, as well as how each vulnerability can lead to serious issues for the end user.

#1 Bypassing PayPal’s two-factor authentication (2FA)

Using the current version of PayPal for Android (v. 7.16.1), the CyberNews research team was able to bypass PayPal’s phone or email verification, which for ease of terminology we can call two-factor authentication (2FA). Their 2FA, which is called “Authflow” on PayPal, is normally triggered when a user logs into their account from a new device, location or IP address.

PayPal's "2FA" security check, which is easily bypassable

How we did it

In order to bypass PayPal’s 2FA, our researcher used the PayPal mobile app and a MITM proxy, like Charles proxy. Then, through a series of steps, the researcher was able to get an elevated token to enter the account. (Since the vulnerability hasn’t been patched yet, we can’t go into detail of how it was done.)

token values with permisions

The process is very simple, and only takes seconds or minutes. This means that attackers can gain easy access to accounts, rendering PayPal's lauded security system useless.

What’s the worst case scenario here?

Stolen PayPal credentials can go for just $1.50 on the black market. Essentially, it’s exactly because it’s so difficult to get into people’s PayPal accounts with stolen credentials that these stolen credentials are so cheap. PayPal’s authflow is set up to detect and block suspicious login attempts, usually related to a new device or IP, besides other suspicious actions.

But with our 2FA bypass, that security measure is null and void. Hackers can buy stolen credentials in bulk, log in with those credentials, bypass 2FA in minutes, and have complete access to those accounts. With many known and unknown stolen credentials on the market, this is potentially a huge loss for many PayPal customers.

PayPal’s response

We’ll assume that HackerOne’s response is representative of PayPal’s response. For this issue, PayPal decided that, since the user’s account must already be compromised for this attack to work, “there does not appear to be any security implications as a direct result of this behavior.”

HackerOne's muted response to the PayPal 2FA bypass

Based on that, they closed the issue as Not Applicable, costing us 5 reputation points in the process.

#2 Phone verification without OTP

Our analysts discovered that it’s pretty easy to confirm a new phone without an OTP (One-Time Pin). PayPal recently introduced a new system where it checks whether a phone number is registered under the same name as the account holder. If not, it rejects the phone number.

How we did it

When a user registers a new phone number, an onboard call is made to api-m.paypal.com, which sends the status of the phone confirmation. We can easily change this call, and PayPal will then register the phone as confirmed.

editing phone number on paypal account

The call can be repeated on already registered accounts to verify the phone.

What’s the worst case scenario here?

Scammers can find lots of uses for this vulnerability, but the major implication is unmissable. By bypassing this phone verification, it will make it much easier for scammers to create fraudulent accounts, especially since there’s no need to receive an SMS verification code.

PayPal’s response

Initially, the PayPal team via HackerOne took this issue more seriously. However, after a few exchanges, they stopped responding to our queries, and recently PayPal itself (not the HackerOne staff) locked this report, meaning that we aren't able to comment any longer.

#3 Sending money security bypass

PayPal has set up certain security measures in order to help avoid fraud and other malicious actions on the tool. One of these is a security measure that's triggered when one of the following conditions, or a combination of these, is met:

  • You’re using a new device
  • You’re trying to send payments from a different location or IP address
  • There’s a change in your usual sending pattern
  • The owning account is not "aged" well (meaning that it’s pretty new)

When these conditions are met, PayPal may throw up a few types of errors to the users, including:

  • "You'll need to link a new payment method to send the money"
  • "Your payment was denied, please try again later"

How we did it

Our analysts found that PayPal’s sending money security block is vulnerable to brute force attacks.

What’s the worst case scenario here?

This is similar in impact to Vulnerability #1 mentioned above. An attacker with access to stolen PayPal credentials can access these accounts after easily bypassing PayPal’s security measure.

PayPal’s response

When we submitted this to HackerOne, they responded that this is an “out-of-scope” issue since it requires stolen PayPal accounts. As such, they closed the issue as Not Applicable, costing us 5 reputation points in the process.

#4 Full name change

By default, PayPal allows users to only change 1-2 letters of their name once (usually because of typos). After that, the option to update your name disappears.

However, using the current version of PayPal.com, the CyberNews research team was able to change a test account’s name from "Tester IAmTester" to "christin christina".

It was pretty easy to change our test account's name, bypassing PayPal's name change security

How we did it

We discovered that if we capture the requests and repeat it every time by changing 1-2 letters at a time, we are able to fully change account names to something completely different, without any verification.

We also discovered that we can use any unicode symbols, including emojis, in the name field.

What’s the worst case scenario here?

An attacker, armed with stolen PayPal credentials, can change the account holder’s name. Once they’ve completely taken over an account, the real account holder wouldn’t be able to claim that account, since the name has been changed and their official documents would be of no assistance.

PayPal’s response

This issue was deemed a Duplicate by PayPal, since it had been apparently discovered by another researcher.

#5 The self-help SmartChat stored XSS vulnerability

PayPal’s self-help chat, which it calls SmartChat, lets users find answers to the most common questions. Our research discovered that this SmartChat integration is missing crucial form validation that checks the text that a person writes.

PayPal's SmartChat stored XSS vulnerability

How we did it

Because the validation is done at the front end, we were able to use a man in the middle (MITM) proxy to capture the traffic that was going to Paypal servers and attach our malicious payload.

What’s the worst case scenario here?

Anyone can write malicious code into the chatbox and PayPal’s system would execute it. Using the right payload, a scammer can capture customer support agent session cookies and access their account.

With that, the scammer can log into their account, pretend to be a customer support agent, and get sensitive information from PayPal users.

PayPal’s response

The same day that we informed PayPal of this issue, they replied that since it isn’t “exploitable externally,” it is a non-issue. However, while we planned to send them a full POC (proof of concept), PayPal seems to have removed the file on which the exploit was based. This indicates that they were not honest with us and patched the problem quietly themselves, providing us with no credit, thanks, or bounty. Instead, they closed this as Not Applicable, costing us another 5 points in the process.

#6 Security questions persistent XSS

This vulnerability is similar to the one above (#5), since PayPal does not sanitize its Security Questions input.

How we did it

Because PayPal’s Security Questions input box is not validated properly, we were able to use the MITM method described above.

Here is a screenshot that shows our test code being injected to the account after refresh, resulting in a massive clickable link:

PayPal's security questions persistent XSS

What’s the worst case scenario here?

Attackers can inject scripts to other people's accounts to grab sensitive data. By using Vulnerability #1 and logging in to a user’s account, a scammer can inject code that can later run on any computer once a victim logs into their account.

This includes:

  • Showing a fake pop up that could say “Download the new PayPal app” which could actually be malware.
  • Changing the text user is adding. For example, the scammer can alter the email where the money is being sent.
  • Keylogging credit card information when the user inputs it.

There are many more ways to use this vulnerability and, like all of these exploits, it’s only limited by the scammer’s imagination.

PayPal’s response

The same day we reported this issue, PayPal responded that it had already been reported. Also on the same day, the vulnerability seems to have been patched on PayPal’s side. They deemed this issue a Duplicate, and we lost another 5 points.

PayPal’s reputation for dishonesty

PayPal has been on the receiving end of criticism for not honoring its own bug bounty program.

Most ethical hackers will remember the 2013 case of Robert Kugler, the 17-year old German student who was shafted out of a huge bounty after he discovered a critical bug on PayPal’s site. Kugler notified PayPal of the vulnerability on May 19, but apparently PayPal told him that because he was under 18, he was ineligible for the Bug Bounty Program.

But according to PayPal, the bug had already been discovered by someone else, but they also admitted that the young hacker was just too young.

Another researcher earlier discovered that attempting to communicate serious vulnerabilities in PayPal’s software led to long delays. At the end, and frustrated, the researcher promises to never waste his time with PayPal again.

There’s also the case of another teenager, Joshua Rogers, also 17 at the time, who said that he was able to easily bypass PayPal’s 2FA. He went on to state, however, that PayPal didn’t respond after multiple attempts at communicating the issue with them.

PayPal acknowledged and downplayed the vulnerability, later patching it, without offering any thanks to Rogers.

The big problem with HackerOne

HackerOne is often hailed as a godsend for ethical hackers, allowing companies to get novel ways to patch up their tools, and allowing hackers to get paid for finding those vulnerabilities.

It’s certainly the most popular, especially since big names like PayPal work exclusively with the platform. There have been issues with HackerOne’s response, including the huge scandal involving Valve, when a researcher was banned from HackerOne after trying to report a Steam zero-day.

However, its Triage system, which is often seen as an innovation, actually has a serious problem. The way that HackerOne’s triage system works is simple: instead of bothering the vendor (HackerOne’s customer) with each reported vulnerability, they’ve set up a system where HackerOne Security Analysts will quickly check and categorize each reported issue and escalate or close the issues as needed. This is similar to the triage system in hospitals.

These Security Analysts are able to identify the problem, try to replicate it, and communicate with the vendor to work on a fix. However, there’s one big flaw here: these Security Analysts are also active Bug Bounty Hackers.

Essentially, these Security Analysts get first dibs on reported vulnerabilities. They have full discretion on the type of severity of the issue, and they have the power to escalate, delay or close the issue.

That presents a huge opportunity for them, if they act in bad faith. Other criticisms have pointed out that Security Analysts can first delay the reported vulnerability, report it themselves on a different bug bounty platform, collect the bounty (without disclosing it of course), and then closing the reported issue as Not Applicable, or perhaps Duplicate.

As such, the system is ripe for abuse, especially since Security Analysts on HackerOne use generic usernames, meaning that there’s no real way of knowing what they are doing on other bug bounty platforms.

What it all means

All in all, the exact “Who is to blame” question is left unanswered at this point, because it is overshadowed by another bigger question: why are these services so irresponsible?

Let’s point out a simple combination of vulnerabilities that any malicious actor can use:

  1. Buy PayPal accounts on the black market for pennies on the dollar. (On one blackhat forum, you can buy a $5,000 PayPal account for just $150, giving you a 3,333% ROI.)
  2. Use Vulnerability #1 to bypass the two-factor authentication easily.
  3. Use Vulnerability #3 to bypass the sending money security and easily send money from the linked bank accounts and cards.

Alternatively, the scammer can use Vulnerability #1 to bypass 2FA and then use Vulnerability #4 to change the account holder’s name. That way, the scammer can lock the original owner out of their own account.

While these are just two simple ways to use our discovered vulnerabilities, scammers – who have much more motivation and creativity for maliciousness (as well as a penchant for scalable attacks) – will most likely have many more ways to use these exploits.

And yet, to PayPal and HackerOne, these are non-issues. Even worse, it seems that you’ll just get punished for reporting it.

Our hand-picked digital services for online presence and privacy

Comments
David Archer
David Archer
prefix 10 months ago
PayPal’s 2 Factor security can be bypassed, based on my experience this week. On Saturday 12//5/2020 Walmart rejected a transaction made through my PayPal account. I thought ok, since the pandemic this was a screwup as I got the money refunded the same day. On Monday I got a PP notification that I had purchased an Apple Mac for $2199.00 via EBay – I was able to contact the seller before the Mac shipped and they cancelled the transaction. I then turned on 2 Factor and deleted all the payment methods other than PayPal Credit.
On Wednesday I got a notification from PP that I had just purchased a CarFax product – NOTE: I NEVER GOT ANY TXT PROVIDING A SECONDARY CODE TO MY PHONE. I immediately phoned PP and while I was on the phone with a PP Rep, another $70.00 transaction went through for software, Again no code to my phone.
Really pissed at PP, got them to freeze my PP account.
It is Bullshit that a company providing financial services has security that can be bypassed.
Eugene Kulic
Eugene Kulic
prefix 10 months ago
Stace,
was there any progress with your case?
i am in similar situation,
Gene
Aida
Aida
prefix 11 months ago
Paypal is Suppose To PROTECT Our PERSONAL INFORMATION!! & Catch The BAD PEOPLE HACKERS Behind Paypal!!!!
Corruption
Corruption
prefix 1 year ago
I have been trying to gain access to my PayPal account probably a month now. I don’t have the cellphone number anymore because I am getting the message Get you one time code – Text message to 608.
I have been on live chat with someone and they seem to not be able to match any of my information with my account.
The next live agent could not help me because she had limited access. At first she was going to send me a link to reset my password and I told her that wasn’t the problem. I said my landline was registered with my Paypal account
and my Paypal Prepaid card so you can just sent me a code to my email address or call my landline and give it to me. She refused and said “their system is not set up that way” She gave me phone support’s number.. Then I said lets try to reset the password and see what that does. She refused. Any number of Paypal you call they tell you to send a message their not able to help with the situation over the phone. I found out today 09/24/2020 that someone tried to use my Paypal prepaid card 4 times for the month of September 2020..
Waldemar K
Waldemar K
prefix 1 year ago
Thank you for that article. This will make me rethink about using only paypal in e-commerce. Better if I use also/or only other companies for woocommerce, maybe more reliable and less arrogant companies
john doe
john doe
prefix 1 year ago
wow … interesting
Stace
Stace
prefix 1 year ago
I am so happy I found this article!

I should begin that a hacker somehow got hold of my Paypal login details and ordered a physical server, in Slovakia, while I live in a different country and have never set foot in Slovakia (upon the research of the shop I also found out that they delivered only locally). I reported the unauthorised activity to Paypal, but the bot denied my request and automatically closed the case. I turned in a formal complaint, and the two people I spoke to basically repeated what the bot had said and advised me to top up my balance, which is now negative.

What is also interesting is that on the day of the purchase, I saw that three changes had been made, but I couldn’t see what exactly they were. I also never received a receipt of that purchase. When I tried bringing it up with Paypal, I only got the bot’s response that the changes were noted, but both the human customer support ignored it.

At some point, Paypal stopped responding to my messages and put me on the debtors list instead, as I got a call a few days ago basically telling me I am responsible for my negative balance, and I have 7 days to sort it out.

I have an appointment at the local police office tomorrow, as I believe that Paypal is overstepping boundaries in several ways: 1)Their cyber security system was not bullet-proof enough, so someone from a different country could just login to my account, from a different device, make 3 changes in one day and spend nearly 300 euro in a shop in a country where I couldn’t possibly be and that only delivers locally. 2)Now, the hacker has got my identity details: my name, my phone number, my address, bank account number, you name it. Because of Paypal, international identity theft has been committed, I have already been robbed, and who knows what is coming next. 3)Instead of fixing their security system and catching the hacker (which is not imporrible, as they’ve got the details of the shop the purchase was made at), Paypal decides to invest into chasing a customer of over 8 years with flawless track record and threaten me with debt collecting agencies..all during the great recession and my recently being laid of as a result of it!

I am going to see what the police says on Friday, but I am also thinking of starting a court case against Paypal.

@Bernard Meyer do you have any advice for me? Could you please help me think of which route the hacker could have used to gain entrance into my account? If it was something you have already researched and Paypal still hasn’t fixed it, they should be liable for that. Thank you in advance!
micel
micel
prefix 1 year ago
simple solution .. untill they pay what they promised why not exploit, making PP look bad/worse ??

good job finding those vul’s
Adem Mansouri
Adem Mansouri
prefix 1 year ago
Hello guys ,
Life is unfair sometimes don’t give up okay , i agree with your first bug , but the rest of’em are actually “OUT OF SCOPE” bugs ,they’ve mentioned in their policy that “Attack requires MITM or phisical access to user’s devises is exluded” , I think they’re right because if you were able to access to thier devices why would you execute persistence XSS instead of stealing their credentials directly … etc ,

Just give it another try , and don’t give up
Martin Hunter
Martin Hunter
prefix 1 month ago
Just because you and PayPal’s less-than-minimum-wage tech support don’t understand how dangerous an exploit could be, doesn’t automatically make them “out of scope.” Not a single one of the exploits mentioned above required access to any device that was being exploited, so before you go putting your two cents in and agreeing that someone is wrong, do some more research and make sure YOU are correct first.
xxx
xxx
prefix 1 year ago
Paypal is evil 🙁
Unspecified
Unspecified
prefix 1 year ago
You should use the same disclosure deadline policy as Project Zero team, if they don’t care to patch bugs disclose it.
Vincent Warte
Vincent Warte
prefix 1 year ago
Just sell the zero-days. PP deserves all the bad karma that it may get.
vega
vega
prefix 1 year ago
I agree
Peter
Peter
prefix 1 year ago
simple solution .. untill they pay what they promised why not exploit, making PP look bad/worse ??

good job finding those vul’s

Peter
Honest
Honest
prefix 1 year ago
blazespin, I think that you need to go and search for a brain….
Unspecified
Unspecified
prefix 1 year ago
I had a similar experience using Hackerone years ago and never used it since. I reported a serious vulnerability in a website app and it took six months to get a response, and it stated they had already fixed the exploit. Yes, they fixed it after I reported it then waited six months to tell me I would not get credit or paid. Now I sell exploits to people who actually want to pay me.
Bernard Meyer
Bernard Meyer
prefix 1 year ago
That’s very sad to hear, but I understand your type of position. Of course, I disagree with selling exploits to, i assume black hat hackers, and I’m hoping that H1/PayPal can fix the way they handle these submissions, so that your response doesn’t become a general response.
blazespin
blazespin
prefix 1 year ago
It looks like you made a lot of mistakes when using the platform and didn’t read the scope very well before submitting, which results in noise for PayPal.

https://hackerone.com/paypal

#1 The scope for paypal is very clear that vulns requiring accounts are out of scope. eg, out of scope – “Vulnerabilities involving stolen credentials”

#2 It’s not that clear, but pretty sure this falls under “Reports that involve a secondary user account where an existing business relationship is being leveraged and the impact is limited solely to the parent account”

#3 “Vulnerabilities involving stolen credentials”

#4 Duplicate Issues happen – you should have got a rep bonus for that. Did they provide you with the original report? Did you search for it?

#5 You should have submitted a POC with video (simply post back of data from CSR browser would have done it). See quality reports on hackerone. If it was cross/persistent XSS then they would have been very very grateful for bringing it to their attention. My guess, is that the vuln wasn’t quite what you thought it was (ie, there was sanitization for the CSR)

#6 If you lost rep, that doesn’t make sense, unless it was already published. Did you search for it? There are stored XSS issues on Paypal. The fact that it was fixed same day is definitely likely that it was definitely a dupe, though. Nobody fixes things same day, that’s just a recipe for disaster.

I think your compliant about issues marked as Dupe being abused by security analysis is potentially valid if they are not providing you with the original report. If that is happening, it’s certainly worth mentioning, but you don’t do that anywhere here which leads me to believe that you are probably missing important details.

Also, your lack of POCs are an example of low quality reports and I can see them being dismissed as noise.
Bernard Meyer
Bernard Meyer
prefix 1 year ago
Hi there blazespin –

Thanks for your comments. I’m confused by your assumption that there’s a lack of POCs. It would be unethical for us to release full POCs for issues that haven’t been patched. Hackers would just have a new way to break into stolen credentials and steal innocent people’s funds. We don’t want to create new victims here – we want to stop victims from being created by these simple vulnerabilities.

Secondly, we agree that H1 accurately defined these as “out of scope” — our issue is that PP is far too strict in how it treats “out of scope” issues. Because, at the end of the day, it’s a security vulnerability that needs to be fixed.

Third – the issues are marked as dupe, and our requests to be added to the original report (since we have extra info) were rejected. We also didn’t get any substantial proof that it was duplicate, other than H1 staff claiming as such.

In general, what’s PayPal’s position here? “We know that there are vulnerabilities, and we agree that they can be used to steal money from people’s accounts. But it’s out of scope, so c’est la vie”? Not very responsible, is it?

Beyond that, we have issues with the leisurely way in which the situation is handled at HackerOne, and we believe they need to be more transparent with ethical hackers submitting issues. If it’s a dupe, show us the original report. If we have more info, add us to the report. Recognize the severity of the issue, even if it’s out of scope.

The problem with third-party bug bounty platforms is that they treat everyone as if they’re trying to only get money from this. That isn’t the case. We’re trying to fix these issues. So, in total, for H1: more collaboration, more transparency, less vagueness.
Emergence
Emergence
prefix 1 year ago
blazespin, you sound like a paypal mouthpiece.
Alex Gurrola
Alex Gurrola
prefix 1 year ago
That’s truly horrifying. I use PayPal for tons of e-commerce, but I guess it’s time to use Venmo or Zelle until security at PayPal is taken more seriously.
Bernard Meyer
Bernard Meyer
prefix 1 year ago
I think the issue is that they’re simply too big to notice the “smaller” vulnerabilities, vulnerabilities which can definitely be easily and quietly exploited.
Anti PayPal
Anti PayPal
prefix 1 year ago
Venmo is owned by PayPal
Chad
Chad
prefix 1 year ago
Venmo is owned by PayPal.
Owen Miller
Owen Miller
prefix 1 year ago
Wow, I feel terrible for you guys, having your expertise wasted by such ungrateful people.
Bernard Meyer
Bernard Meyer
prefix 1 year ago
It is quite disappointing, since our main goal is not to get a bounty, but to get this issue patched. I can only imagine the amount of people already affected by this vulnerability. The reasoning behind PayPal’s refusal to fix it isn’t clear to me.
James
James
prefix 1 year ago
Actually the fix to a dishonest company abusing a bug hunting program for pure marketing is simple:

If they close your bug report as “no security impact”, give them 14 days and then simply do the full disclosure. They can’t really complain if they first decline it as “no impact”. And a full-disclosure forces them to implement a fix fast – unless they are right and there is no security impact really.

I wonder why you did not go that way after so much disappointment.
jd
jd
prefix 1 year ago
Well, you can always sell the zero-day’s and make money instead.
Anon
Anon
prefix 1 year ago
sell full method on black market using tor, get money, fuck paypal
PayPal Customer
PayPal Customer
prefix 1 year ago
I just had a similar experience.

I contacted PayPal customer support because I wanted to know how I can verify if my account details have been breached in the way described in your article (explicitely mentioning your article) and why PayPal is treating security researchers this way.

The first human customer support staff said she couldn’t say anything in this regard and pasted some generic words about PayPal caring for customer safety in the chat. I waited so long for her reply that my session expired. She wrote that she’s seeing I’m offline but as soon as I’m back online and would reply someone would get back in touch with me.

The automatic chat log said: “Our employee answers within an hour to your message”.

I came back online and replied that some flowery phrases do not answer my questions.
An hour later I wrote in the chat “That is a long hour…” and the conversation has been closed. I’ve got screenshots as proof.
Bernard Meyer
Bernard Meyer
prefix 1 year ago
Hi there – we’d be happy to see what you’ve got. You can send it directly to me at [email protected]
Malte
Malte
prefix 1 year ago
Hello Mr. Bernard Meyer. Thanks for this important article. Since yesterday german Paypal accounts associated to Google Pay have been abused. Most of the debit transactions were made in name of Target (the Store) & Starbucks in the USA. Users who are affected by this “hack?” have multiple debits ranging from 1 cent to over 1000 Euros. It’s not clear if it’s Google’s or Paypal’s fault. Nobody wants responsibility for this big problem. Even people with 2FA are affected and they have never been in or made any transactions to the USA. This is very concerning. At this moment it seems only german Paypal accounts are affected. I leave here a link to a german IT news blog https://stadt-bremerhaven.de/zahlreiche-kunden-betroffen-unberechtigte-abbuchung-von-paypal-ueber-google-pay/ After reading your article it seems it could be Paypal who is at fault. What is your opinion?
Bernard Meyer
Bernard Meyer
prefix 1 year ago
These issues seem to be two sides of the same coin. Lack of communication, lack of accountability, I think it seems to be related to how PayPal via HackerOne is handling serious vulnerability issues.

And, similar to our specific cases mentioned above, it’s only a matter of time before a blackhat hacker uses this for large scale fraud.

Thanks for pointing this out to us!
Leave a Reply

Your email address will not be published. Required fields are marked