A couple of months ago, we covered a story about a Google Inbox spoofing bug found by Eli Grey. It would allow for people to send mailto links that would spoof the recipient of the email. This could be used for tricking people to send emails to a different address than shown. The vulnerability is the same as the Inbox by Google vulnerability, but worse because there is no way to see the real recipient. Eli reached out to us again with his findings on a new vulnerability involving this spoofing and the PayPal mobile app.
This vulnerability allows users to click a link that will open the Android default app selector. You then can select PayPal. This will bring up options for paying the user from the email. The thing is, when you go through PayPal, it will show you the email that will receive the money. But here, PayPal shows the fake email that it is being spoofed instead of the scammer email. This means that if someone sends you a link to [email protected], for example, the money would actually be sent to [email protected] The link for you to test it yourself is here. Remember, DO NOT SEND MONEY TO THIS EMAIL. This screen is exactly the same as the one to send money to the real email address. It is a fake email but this doesn’t actually send money to UNICEF. To actually donate to UNICEF, you can do that at the official UNICEF website.
This can be very hazardous to anyone that is sent an exploit link. Eli Grey sent this vulnerability to PayPal and they claimed it was not a bug, but a social engineering scam to commit fraud. Hearing this could mean PayPal won’t fix the error. This is VERY dangerous for anyone that uses the PayPal app. It could be fixed easily by showing the email address it is being sent to instead of the name it is set to send to.
This bug also affects many other apps and operating systems. It affects macOS on the default mailing app, which seems like the type of bug Apple would love to fix. It also affects many Android email apps like Outlook, the default Samsung Email app, Inbox by Google, and Gmail. They all show the same type of vulnerability where it shows an email that it isn’t the real recipient. This was fixed on Inbox by Google in May by showing both the email address and the real recipient.
Hopefully, PayPal and all the other companies with apps affected will fix this issue. It seems very widespread and very dangerous. Luckily, Eli Grey found this so he could get the word out that it exists and for users to make sure to not use any links for payments or sending important emails.