Security flaw in PayPal's Google Pay integration enabled hackers to make unauthorised payments

PayPal has been accused of ignoring reports warning of security flaws on its popular payments platform

Hackers have been exploiting a security bug in PayPal's Google Pay integration to do unauthorised transactions and buy products online.

The issue has affected a large number of PayPal users, who reported it on various platforms, including PayPal's forums, Twitter, and Reddit.

The victims claim that their Google Pay accounts were abused by hackers to perform online purchases using their PayPal accounts. They were only made aware of the fraud after seeing unexpected transactions in their PayPal history. All those transactions originated from their Google Pay accounts.

The majority of unauthorised transactions were carried out at US retailers, with some purchases weighing in at more than €1,000.

Moreover, most of the marks were based in Germany.

"Although the way this attack was carried out is not yet entirely clear, it is extremely important to add two-factor authentication to your PayPal account if you have not already," said Jake Moore, a cyber security specialist at ESET.

"Attackers are able to rifle through accounts when they hack in, especially when users have a password linked to PayPal that they may use somewhere else. It is also worth double checking which third party accounts are linked, as this may be another entry point for cyber criminals," he added.

Meanwhile, German security researcher Markus Fenske suggested on Twitter that the security issue appears to be similar to a bug that was reported to PayPal in February 2019. However, the company appears to have ignored the vulnerability.

https://twitter.com/iblueconnection/status/1231962017734516741?ref\\_src=twsrc%5Etfw

Fenske said that the bug was discovered by him and fellow security researcher Andreas Mayer.

Fenske believes hackers likely discovered a way to get details of the virtual cards that PayPal generates when a Google Pay account is linked to a PayPal account. PayPal assigns each card with a card number, expiration date, and CVC.

Hackers likely used card details of multiple users to carry out illegal transactions,

According to Fenske, a hacker could get a virtual card's details by either guessing it, through malware, or by reading the details from a user's phone/screen.

PayPal said today that an 'exploitation point' that had enabled hackers to execute unauthorised transactions from PayPal had now been fixed.

This is, however, not the first instance of security issues being reported in PayPal platform.

In 2018, ESET researchers uncovered a new Android Trojan that targeted the official PayPal app and was capable of bypassing PayPal's two-factor authentication.

Last week, CyberNews reported that its researchers were punished by PayPal after discovering and reporting six vulnerabilities in PayPal platform. According to CyberNews, the vulnerabilities discovered ranged from dangerous exploits for bypassing two-factor authentication to sending malicious code through PayPal's SmartChat system.