Payment services provider PayPal is vulnerable to an authentication restriction bypass vulnerability, which could allow an attacker to bypass a filter or restriction of the online-service to get unauthorized access to a blocked users’ PayPal account.
The security vulnerability actually resides in the mobile API authentication procedure of the PayPal online-service, which doesn’t check for the blocked and restricted PayPal accounts.
HOW THE VULNERABILITY WORKS
In case if a PayPal user enters a wrong username or password combination
several times in an effort to access the account, then for the security
reasons, PayPal
will restrict the user from opening or accessing his/her account on a
computer until the answers to a number of security questions is
provided.
However, if the same user, at the same time switches to a mobile device
and tries accessing the temporarily closed PayPal account with the right
credentials via an official PayPal mobile app client through the API,
the user will get access to the account without providing any additional
security detail.
WHAT WENT WRONG
“The client API checks only if the account exists, the API does not check a part- or full blocking of the account. It is possible for the blocked user to get access to his PayPal account and is able to make transactions and he can send money from the account,” states the vulnerability disclosure document.
For some other security reasons, such as for preventing a fraudster from
reaching illicitly obtained funds, PayPal could temporarily denied
users to access their PayPal account. In such cases, a remote attacker
could “login through the mobile API with PayPal portal restriction to
access account information or interact with the compromised account.”
REPORTED OVER ONE YEAR BUT STILL NO PATCH AVAILABLE
The critical vulnerability in PayPal
was discovered about a year ago by Benjamin Kunz Mejri from
Vulnerability Laboratory, and as a responsible researcher, he reported
the flaw to the PayPal’s team, but the fix for the vulnerability is
still not available. Also no bug bounty has been paid to him for the
discovery and responsible disclosure of the bug.
According to the vulnerability disclosure document, the authentication
restriction bypass vulnerability in PayPal online service has been
assigned a high CVSS (Common Vulnerability Scoring System) base score of
6.2, but no identifier has been assigned to the bug.
But, despite answering those questions, the researcher used his iOS
device and entered the correct combination of username and password,
which easily granted him access to his blocked account, allowing him to
initiate financial transactions.
PRODUCTS AFFECTED
The vulnerability affects the iOS mobile application for both iPhone and
iPad, as it fails to check for the restriction flags that would not
allow access to the blocked or temporarily blocked account. According to
the researcher, the version 4.6.0 of the iOS app is affected, and the
flaw is also working on the latest version 5.8.
An eBay owned company, PayPal provides a faster and safer way to pay and
get paid. The service gives people simpler ways to send money without
sharing financial information, with over 148 million active accounts in
26 currencies and across 193 markets, thereby processing more than 9
million payments daily.
0 التعليقات