[talos]

Not quite. If you're not logged in, Google Wallet will open a popup (as opposed to a JS modal overlay), clearly identified as "https://accounts.google.com", prompting you to enter your username and password. The username and password are never entered under the same URL bar as the 3rd party site.

If Braintree's checkout process opened a popup window, with a clear URL bar, into which the user entered their username/password, then this would not be a problem.

[pbcoronel]

This is Pedro, one of the developers at Braintree who worked on this product. Security is our top priority which is why we will show a pop-up window hosted on a PayPal domain in the environments that support it. We are incrementally rolling this feature out. Here's more info about this particular issue: https://developers.braintreepayments.com/javascript+ruby/sdk...

[talos]

Interesting. I understand that popups might not be supported in certain environments, but it would seem the preferable flow in that case would be to forward to Paypal, authorize, then forward back. I just don't see any way to protect a lightbox from phishing, even if that's only on a subset of devices.

I guess I'm not up on the limitations of mobile browsers, but if they really make it so hard to expose the URL, it would seem to re-open a huge array of phishing attacks (and, once these are heavily exploited, mobile browsers will probably get better about exposing URLs.)

[tokenizerrr]

The most interesting part to me is that this is a regression. Paypal integration used to work like you said, and like I said here[1], though now they seem to favor usability over security.

[1]: https://news.ycombinator.com/item?id=8011614