PayPal Mobile API Reveals a Security Flaw

A vulnerability has been revealed in PayPal’s payment services which could allow a cybercriminal to bypass security filters. This would allow a hacker to get unauthorized access to a blocked users’ PayPal account. This security vulnerability has been found to reside in the mobile API authentication procedure.

What does the flaw allow?

When a PayPal user enters an incorrect username/password several times while accessing the account, the user is redirected to a page where a number of security questions have to be answered before access is allowed again. However, if the same user tries to access the temporarily restricted PayPal account from his mobile with the proper credentials, then the access is easily provided without asking for any additional security details.

For other security reasons, specifically to prevent a fraudster, PayPal temporarily denies access to the account. But a remote attacker could then login via the mobile API and take advantage of the existing flaw in it.

Here is a video demonstration of how the flaw works:

Still no update from PayPal

The vulnerability was detected back in March 2013 by a researcher from Vulnerability Laboratory. The flaw was reported back then but no action has yet been taken against it. As per a vulnerability disclosure document, no identifier has been assigned to the authentication restriction bypass vulnerability found in PayPal’s online services.

Which PayPal products does it affect?

The flaw basically affects the PayPal’s iOS mobile application for both iPhone and iPad. The app fails to check for the restriction flags that would not allow access to the temporarily blocked account. The version 4.6.0 of the iOS app was first affected and it is still working on the latest version i.e. version 5.8.

The Vulnerability Lab cited the following in an official closure document:

The client API checks only if the account exists, the API does not check a part- or full blocking of the account. It is possible for the blocked user to get access to his PayPal account and is able to make transactions and he can send money from the account. The mobile iPhone / iPad Paypal app does need a security upgrade to ensure that the status of an account is also verified and how the app reacts when such an event takes place.