Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Looking at the actual payment process it seems you get an iframe embedded within the github page that asks for your credentials. It's not possible for users to verify that the iframe actually belongs to paypal without looking at the source (it doesn't, it actually belongs to https://assets.braintreegateway.com/ and it POSTs there too). If this was any less reputable website implementing this it would look really, really shady.

It also doesn't help with that we've been training users to check the URL bar before filling in their credentials, which won't help at all now.



Hey I'm Pedro, one of the developers at Braintree who built this. We are actively working on this. Initial integrations pointed to a Braintree domain, but any new merchant who integrates PayPal via Braintree will be using a PayPal domain. GitHub will do so shortly.


That's good, but I think the user needs a way to confirm that the pop-in is actually served by paypal, and that that is where their credentials will go. As it is now, what will stop me from faking one of these forms, making it look totally legit, but instead sending the logins to my own server?


I don't think anything can stop someone from phishing so long as we have iframes, and users trained to accept their use.


Well yes, my point is not to use an iframe like this (unless browsers start to include their own URL bars for those, though that still seems like a terrible idea). Previously paypal opened a regular popup (an entirely new window with its own url bar) or simply redirected the page. Both of those will fully inform the user about what site they are filling their credentials into.


What would ever have stopped you from doing that? What will stop you from doing that in the future?


Uh, the fact that normal paypal integrations redirect you to a https://paypal.com page that has paypal.com in the url bar, and a green mark for an ssl certificate that says "Paypal, Inc [US]"? Which we have trained everyone to look out for.


If from the beginning users were trained to only login to Paypal if they're on paypal.com. Could be accomplished in this sort of transaction via a new popup window.

Of course, the horse is long out of the barn on this.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: