Hackers recently discovered a vulnerability in PayPal’s Google Pay integration and are now using it to make unauthorized transactions through payPal accounts,media ZDNet reported. Since Friday, users have reported a sudden emergence of a mysterious transaction from their Google Pay account in their PayPal history.
Victims reported that hackers abused their Google Pay accounts to purchase products using linked PayPal accounts. According to screenshots and various testimonies, most of the illegal transactions took place in U.S. stores, especially Target stores throughout New York. Most of the victims appear to be German users.
According to public reports, the losses are estimated to be in the tens of thousands of euros, with some unauthorized transactions well in excess of 1,000 euros. It is not clear which vulnerabilities hackers are exploiting. PayPal told ZDNet that it was investigating the issue. A Google spokesman did not return a request for comment before the article was published.
Markus Fenske, a German security researcher, said on Twitter on Monday that the illegal transactions reported over the weekend appeared to be similar to the vulnerabilities he and security researcher Andreas Mayer reported to PayPal in February 2019, but That PayPal did not prioritize repair.
Fenske told ZDNet that the vulnerability he found stemmed from the fact that when a user links a PayPal account to a Google Pay account, PayPal creates a virtual card with its own card number, expiration date and CVC. When Google Pay users choose to make contactless payments using funds from their PayPal account, transactions will be charged through the virtual card.
“If you only lock a virtual card to a POS transaction, there’s no problem, but PayPal allows the virtual card to be used for online trading,” Fenske said in an interview. Fenske now believes that hackers have found a way to discover the details of these “virtual cards” and are using the card’s details for unauthorized transactions in U.S. stores.
The researchers say attackers can obtain details of virtual cards in three ways. First, read the details of the card by reading from the user’s phone/screen. Second, use malware that infects the user’s device stoain. Third, through guesswork. “The attacker might just force the card number and the validity period together, which is about a year or so,” Fenske said. This makes the search space very small. He added: “CVC doesn’t matter. Anyone is accepted. “
PayPal staff are looking at different issues – including Fenske’s latest description of the attack and his February 2019 vulnerability report. A PayPal spokesman told ZDNet: “The security of customer accounts is a top priority for the company. We are reviewing and evaluating this information and will take any action necessary to further protect our customers. “