It may be that for some time, hackers could use PayPal accounts to make purchases.
This feat is possible thanks to a security flaw that would exist in the PayPal integration process with Google Pay.
This article will also interest you: A phishing campaign against users PayPal
the problem was revealed by several PayPal users who claimed have observed in their history several transactions that have not been themselves and came from Google Pay. You could see these testimonials on several platforms such as forums dedicated to PayPal, on Twitter and even Reddit. These testimonies were usually accompanied by screens where you could see that it's usually in U.S. stores illegal purchases were made with user accounts. one many of the victims were German users.
if on the PayPal officials announced that an investigation was under way, on Google's side, radio silence. One wonders what could have been the problem.
one Computer security researcher of German origin wanted to explain to his cause this computer bug. It's on Twitter that he's trying to demonstrate his theory.
Markus Fenske, the security researcher, says that illicit transactions users' accounts draw their sources from a loophole security. He has reported this flaw since February 2019, a flaw he discovered with his colleague named Andreas Mayer. Unfortunately, the firm has not really worked to address this vulnerability. According to our computer security specialist, everything happens at the time of PayPal account integration with Google Pay.
During this procedure, PayPal will set up a kind of visual map with its own card number and other information that makes it easy to identify the tool such as the card's expiry date and security code. In principle, the idea is to allow all Google Pay users to use this visual card to make a transaction based on its funds on PayPal."If the virtual card were locked to work only on physical point-of-sale payments, there would be no problem.
But PayPal allows you to use this virtual card for online transactions as well," explains the expert. So the hackers could surely have found ways to read the information on these visual maps according to Markus Fenske, collect them and use them to carry out transactions without the knowledge of the real users. However, the expert did not fail to point out that all his explanations are merely hypotheses. That it is in relation to the security flaw discovered since last year that they allowed themselves to make such an assumption.
PayPal said it had launched an internal investigation to further clarify the case. They said they took into account Markus Fenske's remarks, not to mention the report he wrote with his colleague in February 2019. "The security of our customers' accounts is a top priority in our company (…) We verify this information and will take all appropriate and necessary measures to further protect our customers. ». PayPal's spokesman said.
Now access an unlimited number of passwords: