Pages

الجمعة، 10 أكتوبر 2014

Authentication Flaw in PayPal mobile API Allows Access to Blocked Accounts

 Authentication Flaw in PayPal mobile API Allows Access to Blocked Accounts
Payment services provider PayPal is vulnerable to an authentication restriction bypass vulnerability, which could allow an attacker to bypass a filter or restriction of the online-service to get unauthorized access to a blocked users’ PayPal account.

The security vulnerability actually resides in the mobile API authentication procedure of the PayPal online-service, which doesn’t check for the blocked and restricted PayPal accounts.

HOW THE VULNERABILITY WORKS
In case if a PayPal user enters a wrong username or password combination several times in an effort to access the account, then for the security reasons, PayPal will restrict the user from opening or accessing his/her account on a computer until the answers to a number of security questions is provided.

 However, if the same user, at the same time switches to a mobile device and tries accessing the temporarily closed PayPal account with the right credentials via an official PayPal mobile app client through the API, the user will get access to the account without providing any additional security detail.

ليست هناك تعليقات:

إرسال تعليق