[talos]

Huh. I'm confused, what's to stop someone from copying the "Paypal" button and associated modal, but simply directing the form to themselves to absorb the Paypal credentials?

I suppose anyone could do this to take advantage of silly users, but this is encouraging users to trust 3rd party websites by design.

Seems wide open for phishing.

[aioprisan]

There is also nothing stopping anyone from slapping on the old PayPal button or the Checkout with Amazon button on a phishing site. Do you prefer something non-branded out of the box, such as Stripe's Pay with Card button? Generally, you can't turn these services on without at least having the page serving the production version on SSL.

[talos]

Yeah, but those sites don't have people enter in their login/password until after they've been forwarded to an `amazon.com` or `paypal.com` domain. Try it. This is encouraging users to engage in fundamentally unsafe behavior (enter credentials for site A on site B because site B looks like site A).

[aioprisan]

Google Wallet does the same thing as Stripe checkout with the overlay: https://www.humblebundle.com/ Is the URL inspection the best way to make sure you're going to the right site? I know that for us deeply technical folks that's the case, but for someone less technical, they wouldn't know the difference between one URL redirect vs. another.

[talos]

Not quite. If you're not logged in, Google Wallet will open a popup (as opposed to a JS modal overlay), clearly identified as "https://accounts.google.com", prompting you to enter your username and password. The username and password are never entered under the same URL bar as the 3rd party site.

If Braintree's checkout process opened a popup window, with a clear URL bar, into which the user entered their username/password, then this would not be a problem.

[pbcoronel]

This is Pedro, one of the developers at Braintree who worked on this product. Security is our top priority which is why we will show a pop-up window hosted on a PayPal domain in the environments that support it. We are incrementally rolling this feature out. Here's more info about this particular issue: https://developers.braintreepayments.com/javascript+ruby/sdk...

[talos]

Interesting. I understand that popups might not be supported in certain environments, but it would seem the preferable flow in that case would be to forward to Paypal, authorize, then forward back. I just don't see any way to protect a lightbox from phishing, even if that's only on a subset of devices.

I guess I'm not up on the limitations of mobile browsers, but if they really make it so hard to expose the URL, it would seem to re-open a huge array of phishing attacks (and, once these are heavily exploited, mobile browsers will probably get better about exposing URLs.)

[aioprisan]

I remember seeing these same concerns with the Stripe button. Edit: found the old discussion link: https://news.ycombinator.com/item?id=5079702&mobify=0

[talos]

When I've used Stripe payment before, I remember just entering my credit card info. I can do this anywhere, regardless of how it's branded.

If someone malicious gets my credit card info, I have a lot of ways to defend myself. Someone malicious getting my PayPal login info could be much, much more dangerous, and I'd have considerably less protection. Essentially we're talking about leaking login info here -- that's very different than credit card info.

[pc]

This phishing concern is part of why we decided to use one-time SMS tokens with Checkout -- there's no password to steal.

[talos]

That's good to know -- thanks for clarifying that this is a real security concern.