Hacker News new | ask | show | jobs
by pbcoronel 4367 days ago
This is Pedro, one of the developers at Braintree who worked on this product. Security is our top priority which is why we will show a pop-up window hosted on a PayPal domain in the environments that support it. We are incrementally rolling this feature out. Here's more info about this particular issue: https://developers.braintreepayments.com/javascript+ruby/sdk...
1 comments
talos 4367 days ago
Interesting. I understand that popups might not be supported in certain environments, but it would seem the preferable flow in that case would be to forward to Paypal, authorize, then forward back. I just don't see any way to protect a lightbox from phishing, even if that's only on a subset of devices.

I guess I'm not up on the limitations of mobile browsers, but if they really make it so hard to expose the URL, it would seem to re-open a huge array of phishing attacks (and, once these are heavily exploited, mobile browsers will probably get better about exposing URLs.)

link
tokenizerrr 4367 days ago
The most interesting part to me is that this is a regression. Paypal integration used to work like you said, and like I said here[1], though now they seem to favor usability over security.

[1]: https://news.ycombinator.com/item?id=8011614

link