[German]According to reports, PayPal has probably secretly closed the vulnerability that allowed unauthorized debits via Google Pay some weeks ago. However, there are new unauthorized debits from Russia.
Advertising
The case in February 2020
At the end of February 2020, it went public that German PayPal users became victims of unauthorized debits for fake orders via Google Pay. People suddenly discovered charges on their PayPal account amounting to several hundred euros, allegedly made via purchases made using Google Pay in US Target and Starbucks stores. The following screenshot from the Google Pay forum was taken by one of the people affected and lists some of these ominous payments.
PayPal: Unauthorised TARGET debits, Google Pay Forum)
I had reported in the blog post Fraud: Unauthorized Google Pay debits at Paypal about the details. Later I received a statement from PayPal that there were only a small number of people affected and that they would be reimbursed for the debits. This is discussed in the blog post News about unauthorized PayPal/Google Pay debits.
A suspected vulnerability
During my research for this article I came here across the following tweet, that brings probably some light into that case.
Reported a critical issue to PayPal ONE YEAR AGO.
"Not an issue. Please self-close". Lots of discussion. Finally got a bounty. Asked several times if its fixed. No response. Gave up.
Found that it's actively exploited by now. Sorry PP, you suck.https://t.co/48IVszRqlb
— iblue (@iblueconnection) February 24, 2020
Advertising
A security researcher stated that he had already found a weakness in the PayPal-Google Pay interface at the beginning of 2019 and informed the company about it. The security researcher Markus Fenske had disclosed some details of the vulnerability to heise. This was published in this German heise article. However, nothing happened at that time regarding a fix of the vulnerability.
Vulnerability secretly closed …
The wave of fraud ebbed at the end of February 2020 and those affected received their money back from PayPal. But a bad feeling remained that this could happen again at any time. Security researcher Markus Fenske recommended to deactivate the virtual credit card generated by PayPal when linking to Google Pay and to terminate the Google Pay debit agreement Pay. This made Google Pay debits from the PayPal account impossible. This recommendation should also be heeded further.
The editors of heise recently asked security researcher Markus Fenske about the status of the vulnerability. The security team in question then carried out further tests with virtual credit cards and found that the known and reported vulnerability had apparently been closed. In this article German site heise and states that the fix must have been applied 'sometime in the last 4 weeks'. There are no announcements or statements from PayPal, even at heise's request, about this issue.
Another unauthorized charge/fraud?
On the other hand, German blogger Caschy reports in this article from April 16, 2020 on Stadt-Bremerhaven.de that there are probably again unauthorized debits from PayPal. Readers have contacted Caschy and complain about unauthorized debits of 3.29 Euro by a network VKontakte. This is a Russian social network and the debits are in Cyrillic letters.
(Unauthorized VKontakte debit, source: Stadt-Bremerhaven.de)
Cachy has published the above screenshot with such a debit. The alleged merchant who initiated the direct debit specifies noreply+support@google.com as payment address. This is an address where the payment could never have gone. It looks like there are more weaknesses in PayPal and/or Google Pay – although Caschy writes that it does not look like the Google Pay interface is affected.
If you continue searching, you will find forum entries or comments in blogs like here and here, where unauthorized debits are also claimed. In this PayPal thread a hacked account is given as the cause – whether this is true cannot be verified. In the PayPal forum there are some entries about unauthorized debits – but the cause (hacked account) is not clear.
Similar articles:
Fraud: Unauthorized Google Pay debits at Paypal
News about unauthorized PayPal/Google Pay debits
Does PayPal fail with security? Vulnerabilities unfixed
Mass newsletter spam and the Paypal account hack
The 'nasty' sides of the PayPal Fraud
