PayPal and Android email apps affected by spoofing vulnerability


Have you not upgraded your website to HTTPS yet? Upgrade NOW.

Google with its Chrome 68 update to show all HTTP websites as NOT SECURE. Avoid Google's penalty by installing an SSL Certificate. Get a DigiCert Standard SSL and secure your website at just $157/year. BUY NOW

Get daily updates straight in your inbox.

A couple of months back, Eli Grey found a Google Inbox spoofing bug which would allow people to send mailto links that would spoof the recipient of the email. It means that it could be used for sending emails to a different address than shown on the recipient box. But the senders of the emails cannot, in any way, see the real recipient.

Eli Grey has found out a new vulnerability of the same kind but this time it involves spoofing and the PayPal mobile app. This vulnerability allows the users to click a link that will open the Android default app selector, the user then can select PayPal and this will bring up options for paying the user from the email. While using PayPal to pay a certain amount of money, it will show the user the email address which will receive the money.


But instead, here PayPal will show the user the fake email id instead of the scammer email. If someone receives an email link to, the money would not be sent to Unicef but rather the money will be sent to

This obviously is very problematic and Eli Grey brought the vulnerability to PayPal’s notice. But PayPal claimed that it was not a bug but a social engineering scam. This means that PayPal would not fix the problem and offer a solution. However, the bug affects other apps and operating systems such as macOS on the default mailing app. It also affects many Android email apps like Outlook and the default Samsung Email app, Inbox by Google and Gmail. This problem was fixed on Inbox by Google in May. It can only be hoped now that PayPal and other important companies with affected apps will fix this issue.

Via: XDA Developers

PayPal and Android email apps affected by spoofing vulnerability