Hackers have found a bug in PayPal’s Google Pay integration and are now using it to buy products online and incur unauthorized charges to PayPal accounts.
Since last Friday, users have reported seeing mysterious transactions pop up in their PayPal history as originating from their Google Pay account.
Issues have been reported on numerous platforms, such as PayPal’s forums [1, 2, 3, 4, 5, 6, 7], Reddit [1, 2], Twitter, [1, 2], and Google Pay’s Russian and German support forums [1, 2, 3, 4, 5, 6, 7, 8, 9, 10].
Victims report that hackers are abusing their Google Pay accounts to buy products using linked PayPal accounts. According to screenshots and various testimonies, most of the illegal transactions are taking place at US shopping stores, and especially at Target stores.
Most of the victims appear to be German users.
Estimated damages are in the range of tens of thousands of euros, based on public reports. Some transactions go over €1,000.
What bug hackers are exploiting is not yet clear. PayPal told ZDNet they are investigating the issue. A Google spokesperson did not return a request for comment before this article’s publication.
A German security researcher has a theory
Today, on Twitter, a German security researcher named Markus Fenske claimed the illegal transactions that have been reported over the weekend appear to be similar to a bug he and fellow security researcher Andreas Mayer reported to PayPal in February 2019, but which PayPal did not prioritize to fix.
Fenske told ZDNet that the issue stems from the fact that when you link a PayPal account to a Google Pay account, PayPal creates a virtual card, complete with its own card number, expiration date, and CVC.
When a Google Pay user choose to make a contactless payment using funds from his PayPal account, the transaction is charged via this virtual card.
“If the virtual card was locked to POS transactions only, there would be no issue, but PayPal allows this virtual card to be used for online transactions,” Fenske told ZDNet today in an interview.
Fenske now believes hackers found a way to discover the details of these virtual cards and are using their details for unauthorized transactions online.
The researcher said there could be three ways in which an attacker could get a virtual card’s details. First, by reading the card details from a user’s phone/screen. Second, programmatically, by using malware that infected a user’s device. Third, by guessing it.
“It could be possible that the attacker just brute-forced the card number and the validity date, which is in a span of about a year or so,” Fenske said. ” That makes a rather small search space.”
“The CVC does not matter,” he added. “Any is accepted.”
PayPal is investigating
However, Fenske was the first one to tell ZDNet that he and Mayer are just guessing about the real cause of the attack — even if the details fit with the bug they reported last year.
On the other hand, PayPal’s security team began an investigation into the unauthorized transactions as soon as ZDNet reached out a few hours ago.
The PayPal staff is looking at different issues — including the attack scenario described by Fenske today, and his February 2019 bug report.
“The security of customer accounts is a top priority for the company,” a PayPal spokesperson told ZDNet. “We are reviewing and assessing this information and will take any appropriate actions that are deemed necessary to further protect our customers. “
h/t: Günter Born