Authentication Vulnerability in PayPal Mobile API Exposes Millions of Users

Researchers at Vulnerability Lab discovered an authentication restriction bypass in PayPal mobile API that could be exploited to access blocked accounts. The vulnerability lies in the authentication procedure for the PayPal web service.

Normally, if a PayPal users enters a wrong password- Username combination several times as they try login into their account, PayPal temporarily blocks the account for security reasons. The User is then prompted to answer several security questions in order to authenticate their identity.

The authentication restriction bypass vulnerability allows the user to access the blocked account without entering any further security details. All the user need to access the blocked account is switch to a mobile device and enter the correct credentials through the official PayPal mobile App client via the API.

“The client API checks only if the account exists, the API does not check a part- or full blocking of the account. It is possible for the blocked user to get access to his PayPal account and is able to make transactions and he can send money from the account,” reports the advisory issued by the Vulnerability Laboratory Research Team which discovered the authentication vulnerability.

Technically, the mobile authentication flaw allows the user to circumvent restriction flags that would have blocked access into the account. In this case a malicious attacker to tricks the PayPal’s Mobile app into ignoring 2FA flag on the account and therefore logs in without requiring secondary authentication.

The vulnerability presents a great danger because a malicious hacker “only needs a victim’s PayPal username and password in order to access a two-factor protected account and send money. The protection offered by the two-factor Security Key mechanism can be bypassed and essentially nullified,” according to Duo security Lab.

Video demonstration of how the vulnerability can be exploited.

The vulnerability in PayPal authentication procedure was first discovered by Benjamin Kunz Mejri – founder and CEO of Vulnerability Lab- almost a year ago. PayPal is yet to develop an effective patch nor even reward the discoverer.

According to Merji, the authentication flaw in PayPal affects both iOS app for iPhones and iPads using version 4.60 and 5.8 of the PayPal iOS app. The Mobile App is currently at Version 5.8. . The vulnerability has been rank as a high security threat with a CVSS (common vulnerability scoring system) count of 6.2.

Security experts have warned the extent of threat is wide considering PayPal has over 143 million active accounts across all the 193 markets where the company has its footprints. The eBay company records over 9 million transactions in a day using 23 different currencies, meaning billions of clients’ money is at risk.

Last year, Vulnerability Lab discovered another similar flaw in PayPal staff portal, used by pay officials to review users Data. The security hole in the Ethernet portal could have enabled a malicious hacker to hijack user sessions, gain access to the accounts database, compromise developer and administrator accounts, perform external redirects, and for persistent manipulation of affected or connected modules, according to vulnerability Lab.

“An application-side validation Web vulnerability and a filter bypass has been discovered in the official PayPal Inc. Ethernet portal backend application (API). The filter bypass allows remote attackers to evade the regular parse and encode filter mechanism of the PayPal online-service portal Web-application. The persistent input validation vulnerability allows remote attackers to inject own malicious script codes on the application-side of the vulnerable service,” read the advisory provided by Vulnerability Lab

The flaw was allegedly reported to PayPal in February 2013 but it took 10months for the Payment process to patch it up.

Clearly the Vulnerability in authentication, is a design and implementation flaw in PayPal’s mobile App. With the current rise in cybercrime, there is need for companies to design products with security features that live up to their promise. If well designed the two-factor authentications is one of the most secure methods of protecting users and businesses.

Ali Raza Ali is a freelance journalist, having 5 years of experience in web journalism and marketing. He contributes to various online publications. With a Master degree, now he combines his passions for writing about internet security and technology for SecurityGladiators. When he is not working, he loves traveling and playing games.

1 thought on “Authentication Vulnerability in PayPal Mobile API Exposes Millions of Users”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.