Authentication Flaw in PayPal mobile API Allows Access to Blocked Accounts

Payment services provider PayPal is vulnerable to an authentication restriction bypass vulnerability, which could allow an attacker to bypass a filter or restriction of the online-service to get unauthorized access to a blocked users’ PayPal account.

The security vulnerability actually resides in the mobile API authentication procedure of the PayPal online-service, which doesn’t check for the blocked and restricted PayPal accounts.

HOW THE VULNERABILITY WORKS

In case if a PayPal user enters a wrong username or password combination several times in an effort to access the account, then for the security reasons, PayPal will restrict the user from opening or accessing his/her account on a computer until the answers to a number of security questions is provided.

 However, if the same user, at the same time switches to a mobile device and tries accessing the temporarily closed PayPal account with the right credentials via an official PayPal mobile app client through the API, the user will get access to the account without providing any additional security detail.

WHAT WENT WRONG

“The client API checks only if the account exists, the API does not check a part- or full blocking of the account. It is possible for the blocked user to get access to his PayPal account and is able to make transactions and he can send money from the account,” states the vulnerability disclosure document.

For some other security reasons, such as for preventing a fraudster from reaching illicitly obtained funds, PayPal could temporarily denied users to access their PayPal account. In such cases, a remote attacker could “login through the mobile API with PayPal portal restriction to access account information or interact with the compromised account.”

REPORTED OVER ONE YEAR BUT STILL NO PATCH AVAILABLE

The critical vulnerability in PayPal was discovered about a year ago by Benjamin Kunz Mejri from Vulnerability Laboratory, and as a responsible researcher, he reported the flaw to the PayPal’s team, but the fix for the vulnerability is still not available. Also no bug bounty has been paid to him for the discovery and responsible disclosure of the bug.

According to the vulnerability disclosure document, the authentication restriction bypass vulnerability in PayPal online service has been assigned a high CVSS (Common Vulnerability Scoring System) base score of 6.2, but no identifier has been assigned to the bug.

 But, despite answering those questions, the researcher used his iOS device and entered the correct combination of username and password, which easily granted him access to his blocked account, allowing him to initiate financial transactions.

PRODUCTS AFFECTED

The vulnerability affects the iOS mobile application for both iPhone and iPad, as it fails to check for the restriction flags that would not allow access to the blocked or temporarily blocked account. According to the researcher, the version 4.6.0 of the iOS app is affected, and the flaw is also working on the latest version 5.8.

An eBay owned company, PayPal provides a faster and safer way to pay and get paid. The service gives people simpler ways to send money without sharing financial information, with over 148 million active accounts in 26 currencies and across 193 markets, thereby processing more than 9 million payments daily.