Pierluigi Paganini
October 11, 2014
Another authentication flaw affects PayPal mobile API, an attacker exploiting it could gain access to Blocked Accounts. The authentication restriction bypass vulnerability, resides in the mobile API authentication procedure of the PayPal online-service, according to Vulnerability Laboratory Research Team which discovered the flaw.
When a user tries several times to access the PayPal service providing wrong a password the access to its account is restricted by PayPal to avoid unauthorized accesses, at this point it is requested to the legitimate user to provide the answers to a number of security questions he has provided in the past.
The experts discovered that at this point, even if the access to the account has been restricted by PayPal, the user simply switching to a mobile device is able to complete the authentication procedure without restrictions, despite his account has been blocked.
Resuming the user with right credentials via an official PayPal mobile app client could access to his account even if it has been blocked for security reasons.
“The client API checks only if the account exists, the API does not check a part- or full blocking of the account. It is possible for the blocked user to get access to his PayPal account and is able to make transactions and he can send money from the account,” reports the advisory issued by the Vulnerability Laboratory Research Team which discovered the authentication vulnerability.
The security risk of the auth bypass restriction vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.2. Exploitation of the vulnerability requires a restricted/blocked account of the paypal application without user interaction. Successful exploitation of the issue results in auth restriction bypass through the official mobile paypal app api. Vulnerable Service(s): [+] PayPal Inc Vulnerable Software(s): [+] PayPal iOS App (iPhone & iPad) v4.6.0 Vulnerable Module(s):
[+] API Affected Module(s):
[+] Login Verification – (Auth)
At this point the attack scenario is very scaring, PayPal could temporarily denies the access to a legitimate user while a remote attacker which has the account credentials could “login through the mobile API with PayPal portal restriction to access account information or interact with the compromised account.”
The bad news is that the authentication vulnerability has been reported over one year ago by Benjamin Kunz Mejri from Vulnerability Laboratory, but it is still present in the PayPal authentication service.
Another disconcerting aspect of the story is that the researcher hasn’t received any bug bounty for the discovery of the flaw.
Below a video Proof of concept for the authentication vulnerability in the PayPal service.
Let’s see what happen now!
(Security Affairs – PayPal, authentication vulnerability)
