Authentication vulnerability in PayPal mobile API allows access to restricted Accounts

“The client API checks only if the account exists, the API does not check a part- or full blocking of the account. It is possible for the blocked user to get access to his PayPal account and is able to make transactions and he can send money from the account,” reports the advisory issued by the Vulnerability Laboratory Research Team which discovered the authentication vulnerability.

The security risk of the auth bypass restriction vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.2. Exploitation of the vulnerability requires a restricted/blocked account of the paypal application without user interaction. Successful exploitation of the issue results in auth restriction bypass through the official mobile paypal app api. Vulnerable Service(s): [+] PayPal Inc Vulnerable Software(s):

[+] PayPal iOS App (iPhone & iPad) v4.6.0 Vulnerable Module(s):
[+] API Affected Module(s):
[+] Login Verification – (Auth)

At this point the attack scenario is very scaring, PayPal could temporarily denies the access to a legitimate user while a remote attacker which has the account credentials could “login through the mobile API with PayPal portal restriction to access account information or interact with the compromised account.”

 

 

The bad news is that the authentication vulnerability has been reported over one year ago by Benjamin Kunz Mejri from Vulnerability Laboratory, but it is still present in the PayPal authentication service.

Another disconcerting aspect of the story is that the researcher hasn’t received any bug bounty for the discovery of the flaw.

Below a video Proof of concept for the authentication vulnerability in the PayPal service.

 

Let’s see what happen now!