A couple of months back, Eli Grey found a Google Inbox spoofing bug which would allow people to send mailto links that would spoof the recipient of the email. It means that it could be used for sending emails to a different address than shown on the recipient box. But the senders of the emails cannot, in any way, see the real recipient.

Eli Grey has found out a new vulnerability of the same kind but this time it involves spoofing and the PayPal mobile app. This vulnerability allows the users to click a link that will open the Android default app selector, the user then can select PayPal and this will bring up options for paying the user from the email. While using PayPal to pay a certain amount of money, it will show the user the email address which will receive the money.

But instead, here PayPal will show the user the fake email id instead of the scammer email. If someone receives an email link to donations@unicef.org, the money would not be sent to Unicef but rather the money will be sent to scammer@spoofing.net.

This obviously is very problematic and Eli Grey brought the vulnerability to PayPal’s notice. But PayPal claimed that it was not a bug but a social engineering scam. This means that PayPal would not fix the problem and offer a solution. However, the bug affects other apps and operating systems such as macOS on the default mailing app. It also affects many Android email apps like Outlook and the default Samsung Email app, Inbox by Google and Gmail. This problem was fixed on Inbox by Google in May. It can only be hoped now that PayPal and other important companies with affected apps will fix this issue.