Many Android email apps and PayPal are vulnerable to recipient spoofing
A couple of months ago, we covered a story about a Google Inbox spoofing design flaw found by Eli Grey. It would allow for people to send mailto links that would spoof the recipient of the email. This could be used for tricking people to send emails to a different address than the one shown. The same researcher reached out to us again with his findings on a similar design flaw involving recipient spoofing and the PayPal mobile app.
This design flaw entails users click a link that will open the Android default app selector and then select PayPal. This will bring up options for paying the user from the email. When you open PayPal it shows you the address that you think will receive the money. However, PayPal the address shown to the user does not match the actual recipient. This means that a spoofed link to [email protected], for example, could be constructed to instead send money to [email protected] The link for you to test it yourself is here (DO NOT SEND MONEY TO THIS EMAIL). This screen appears exactly the same to the user as the one to send money to the real address but it is a fake email that doesn’t actually send money to UNICEF. To actually donate to UNICEF, you can do that at the official UNICEF website.
This can be potentially dangerous to anyone that is sent a spoofed link. Eli Grey disclosed this matter to PayPal and was told that it was not a bug, but a social engineering scam to commit fraud. This tells us that PayPal doesn’t consider it an issue that they will fix. We believe it’s dangerous to leave this issue along since it’s pretty easy to fool the average user with a spoofed link. A simple fix is to show the email address that any payments are being sent to instead of only the name.
This design flaw also affects many other mail applications. It affects the default mailing app on macOS, many email applications on Android like Outlook, the Samsung Email app, and Gmail. These apps are affected by the same recipient spoofing design flaw. This particular flaw was fixed in Inbox by Google in May.
Hopefully, PayPal and the other affected apps will fix this issue. The design flaw is widespread and easy to exploit. We hope that this information is disseminated so users are aware that they could potentially be clicking on spoofed links.
This article was updated at 12:02PM on 7/13/18 with language that better reflects the nature of this flaw. The title was also amended to refer to the issue as “recipient spoofing” rather than a phishing flaw.