Has PayPal closed secretly a Google Pay vulnerability?

[German]According to reports, PayPal has probably secretly closed the vulnerability that allowed unauthorized debits via Google Pay some weeks ago. However, there are new unauthorized debits from Russia.


Advertising

The case in February 2020

At the end of February 2020, it went public that German PayPal users became victims of unauthorized debits for fake orders via Google Pay. People suddenly discovered charges on their PayPal account amounting to several hundred euros, allegedly made via purchases made using Google Pay in US Target and Starbucks stores. The following screenshot from the Google Pay forum was taken by one of the people affected and lists some of these ominous payments.

Paypal: Unberechtigte TARGET-Abbuchungen
PayPal: Unauthorised TARGET debits, Google Pay Forum)

I had reported in the blog post Fraud: Unauthorized Google Pay debits at Paypal about the details. Later I received a statement from PayPal that there were only a small number of people affected and that they would be reimbursed for the debits. This is discussed in the blog post News about unauthorized PayPal/Google Pay debits.

A suspected vulnerability

During my research for this article I came here across the following tweet, that brings probably some light into that case.


Advertising

A security researcher stated that he had already found a weakness in the PayPal-Google Pay interface at the beginning of 2019 and informed the company about it. The security researcher Markus Fenske had disclosed some details of the vulnerability to heise. This was published in this German heise article. However, nothing happened at that time regarding a fix of the vulnerability. 

Vulnerability secretly closed …

The wave of fraud ebbed at the end of February 2020 and those affected received their money back from PayPal. But a bad feeling remained that this could happen again at any time. Security researcher Markus Fenske recommended to deactivate the virtual credit card generated by PayPal when linking to Google Pay and to terminate the Google Pay debit agreement Pay. This made Google Pay debits from the PayPal account impossible. This recommendation should also be heeded further.

The editors of heise recently asked security researcher Markus Fenske about the status of the vulnerability. The security team in question then carried out further tests with virtual credit cards and found that the known and reported vulnerability had apparently been closed. In this article German site heise and states that the fix must have been applied 'sometime in the last 4 weeks'. There are no announcements or statements from PayPal, even at heise's request, about this issue. 

Another unauthorized charge/fraud?

On the other hand, German blogger Caschy reports in this article from April 16, 2020 on Stadt-Bremerhaven.de that there are probably again unauthorized debits from PayPal. Readers have contacted Caschy and complain about unauthorized debits of 3.29 Euro by a network VKontakte. This is a Russian social network and the debits are in Cyrillic letters. 

VKontakte-Abbuchung
(Unauthorized VKontakte debit, source: Stadt-Bremerhaven.de)

Cachy has published the above screenshot with such a debit. The alleged merchant who initiated the direct debit specifies noreply+support@google.com as payment address. This is an address where the payment could never have gone. It looks like there are more weaknesses in PayPal and/or Google Pay – although Caschy writes that it does not look like the Google Pay interface is affected.

If you continue searching, you will find forum entries or comments in blogs like here and here, where unauthorized debits are also claimed. In this PayPal thread a hacked account is given as the cause – whether this is true cannot be verified. In the PayPal forum there are some entries about unauthorized debits – but the cause (hacked account) is not clear.  

Similar articles:
Fraud: Unauthorized Google Pay debits at Paypal
News about unauthorized PayPal/Google Pay debits
Does PayPal fail with security? Vulnerabilities unfixed
Mass newsletter spam and the Paypal account hack
The 'nasty' sides of the PayPal Fraud


Advertising

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).