Sunday, December 7, 2014

New Paypal gateway UI is a disaster

Hey. I decided to get a paid plan on Github and Paypal looked like a good payment option to me. Click the blue button here:

This looks and feels really good. Lightweight elements, updated color scheme and new logo. Except one thing - how do I know this smooth and lovely popup asking for my Email and password is authorized / belongs to Paypal.com ?


There's no way to detect if the iframe is located on paypal.com or WeWantYourPassword.com. The best you can do (if you're into webdev) is to fire up your developer console
But as long as the attacker can detect when the user opens devtools all your efforts are futile.

This seamlessly looking UI is a major step back - we've been teaching users to trust in the address bar and nothing else, for 20 years! After a couple of successful payments with such fancy gateways they will stop caring about basic security measures.

I created a ticket here about spoofing attempt. Because I really don't want to type my Paypal password while I'm on Github.com.  How do I know Github wasn't hacked or something?

Some good news though: the Coinbase gateway had the exact issue a year ago but now they open sign-in page in a new window. Kudos!

12 comments:

  1. Simple solution, don't use Paypal.

    http://coinaholic.me/?r=32985

    ReplyDelete
  2. This is a big security problem with iframes. I have hoped for years that developers of the major browsers should understand this and automatically change the adress bar to the iframes url when the iframe is having focus. Problem solved! And while their at it, allow third-party session cookies as default and instead empty the cookies when the user closes the browser (Safari is the worst with its standard cookie settings, breaking so much functionality)

    ReplyDelete
  3. So funny, couldn't even leave a comment here with my iPad before I allowed all third-party cookies in Safaris cookie settings. Proves my point!

    ReplyDelete
  4. Same issue with firefox and third party cookies. Come on Google...

    Also, it would be nice if github accepted payment through Coinbase, but they don't.

    ReplyDelete
  5. But the thing is.... if you know you're on the real Github.... how likely is it the iFrame is _not_ on the real PayPal, unless Github was trying to scam you?

    Sometimes when I use apps that give Google / Facebook logins, even though it goes to a new page I can't see the URL and I keep wondering if the app is just collecting all my username / password info rather than legitimately collecting OAuth tokens....

    I mean, at least in this example I can _see_ the github.com in the URL... I'm not sure how an attacker can put in a site not specified by Github in the iFrame url.... unless it's a man-in-the-middle attack, in which case it's going to be really hard to stop no matter what you do....

    ReplyDelete
  6. @Anonymous 2:25PM - Github is perhaps not a good example for this case, given that it's reasonably well-known. But one *purpose* of a system like Paypal is to allow (say) mysketchasswebsite.com to sell you something without handing over your CC# etc to them. There's EVERY chance I'd be suspicious about where THEY were sourcing the iframe from...

    ReplyDelete
  7. This product was brought out and scrapped very quickly for the new In-Context Checkout that uses a mini browser instead of an iFrame. Unfortunately some sites integrated it themselves in the very short shelf life it had, and haven't migrated to the new, secure version of the product. This is down to GitHub, and not PayPal.

    ReplyDelete
    Replies
    1. the difference between mini browser and iframe? demo?

      Delete
  8. Stripe's embedded checkout is exactly the same thing, worth a mention in your post. Bashing paypal without comparing other players is wrong.

    https://stripe.com/docs/tutorials/checkout

    ReplyDelete
    Replies
    1. It's different, cc form != login form. I can type my cc anywhere. My password is much more precious.

      Delete
  9. scary. I only use paypal in all online transactions

    ReplyDelete
  10. Is the address bar trustworthy? How do I know the address bar isn't fake (the real one hidden) and created from web UI elements? Or that a new window doesn't contain a hidden iFrame?

    ReplyDelete