PayPal has fixed a bug that could let attackers perform unauthorized mass payments. The bug, according to ZDNet, lied in PayPal’s Google Pay integration.
Though it’s not clear how the exploit might have been carried out, several users have reported cryptic transactions in their PayPal accounts, which allegedly originated from their Google Pay accounts.
Although the issue affected most German users, the hackers leveraged the bug to buy stuff from US e-commerce stores – profoundly at Target stores all over New York.
The total amount of cash transacted legally is estimated to be “in the range of tens of thousands of euros,” from the reports. Some single transactions reportedly went over the €1,000 mark!
A German security researcher, Markus Fenske, claimed the bug was reported to the company February last year, but they failed to act on it appropriately.
“PayPal allows contactless payments via Google Pay. If you have set it up, you can read the card details of a virtual credit card from the mobile, if the mobiles device is enabled. No auth,” said Markus Fenske on Twitter.
When linking a PayPal account to Google Pay, PayPal typically creates a virtual card that allows you to carryout contact-less payments. So when purchases are made via Google Pay, funds will be deducted from the account using the virtual card, explained Markus to the publication.
Through this contactless payment method, an attacker “can read the card details of a virtual credit card from the mobile, if the mobiles device is enabled.” But this flaw could still be exploited online.
He believes hackers found a way to discover the virtual cards and used them to make unauthorized transactions.
Fortunately, PayPal reported they have been able to address the issue yesterday. PayPal, however, didn’t detail on the bug, and the security researcher seemed not sure if his theory might be a solid explanation behind the issue, despite fitting into the scenario.