Authentication Flaw in PayPal mobile API
A vulnerability in PayPal’s filtering of account restrictions through the mobile API allows an individual access to the blocked account without providing additional security details. This was disclosed by Ionut Ilascu of Softpedia today who said that though the vulnerability has existed since 2013, PayPal has not fixed it as of now.
What is the flaw?
When a user enters the wrong username and password pair several times, access to the account is restricted on a computer until the answer to a set security question is provided by the PayPal user. However, switching to a mobile device eliminates the security question problem and the account can be accessed with the right credentials.
What is wrong with that?
In normal course of operations there is nothing wrong with the mobile bypassing the security API and allowing the PayPal user to access the account by providing the right credentials but it can also be used in case of blocked accounts. PayPal often blocks users for variety of reasons like preventing a fraudster from reaching illicitly obtained funds. The most famous user blocked by PayPal.
The vulnerability was discovered by Benjamin Kunz Mejri from Vulnerability Laboratory in 2013. Mejri notified the PayPal through the Bug Bounty program in March 2013 but PayPal is yet to patch the flaw. The affected product is the iOS mobile application for both iPhone and iPad, as it fails to check for restriction flags that would deny access to the account. In the report of the glitch, Mejri says that version 4.6.0 of the PayPal iOS App is affected. At the moment, the latest version in the App Store is PayPal 5.8, but the researcher has confirmed that the flaw is still working.
Video demonstration of the flaw :
A video demonstrating the flaw has been published, showing how the researcher intentionally enters the wrong username in order to have the account blocked. After several attempts, the service requests the answer to a security question in order to validate the user. Then the researcher switches to the iOS device and types the correct credentials, which grant him access to the blocked account, allowing him to initiate financial transactions. In the disclosure document, it is said that this security glitch is estimated to have a high CVSS (Common Vulnerabilities Scoring System) base score of 6.2, but no identifier has been assigned to it. No bounty has been paid for the discovery to Mejri by PayPal
Resource :Softpedia Security