Jump to content

Invite Scene - #1 to Buy, Sell, Trade or Find Free Torrent Invites

#1 TorrentInvites Community. Buy, Sell, Trade or Find Free Torrent Invites for Every Private Torrent Trackers. HDB, BTN, AOM, DB9, PTP, RED, MTV, EXIGO, FL, IPT, TVBZ, AB, BIB, TIK, EMP, FSC, GGN, KG, MTTP, TL, TTG, 32P, AHD, CHD, CG, OPS, TT, WIHD, BHD, U2 etc.

LOOKING FOR HIGH QUALITY SEEDBOX? EVOSEEDBOX.COM PROVIDES YOU BLAZING FAST & HIGH END SEEDBOXES | STARTING AT $5.00/MONTH!

Authentication Flaw in PayPal mobile API Allows Access to Blocked Accounts


Crypto

Recommended Posts

 

 

PayPal-authentication-bypass-vulnerabili
Payment services provider PayPal is vulnerable to an authentication restriction bypass vulnerability, which could allow an attacker to bypass a filter or restriction of the online-service to get unauthorized access to a blocked users’ PayPal account.
 
The security vulnerability actually resides in the mobile API authentication procedure of the PayPal online-service, which doesn’t check for the blocked and restricted PayPal accounts.
 
HOW THE VULNERABILITY WORKS
In case if a PayPal user enters a wrong username or password combination several times in an effort to access the account, then for the security reasons, PayPal will restrict the user from opening or accessing his/her account on a computer until the answers to a number of security questions is provided.
 
However, if the same user, at the same time switches to a mobile device and tries accessing the temporarily closed PayPal account with the right credentials via an official PayPal mobile app client through the API, the user will get access to the account without providing any additional security detail.
 
 

WHAT WENT WRONG
For some other security reasons, such as for preventing a fraudster from reaching illicitly obtained funds, PayPal could temporarily denied users to access their PayPal account. In such cases, a remote attacker could “login through the mobile API with PayPal portal restriction to access account information or interact with the compromised account.â€â€œThe client API checks only if the account exists, the API does not check a part- or full blocking of the account. It is possible for the blocked user to get access to his PayPal account and is able to make transactions and he can send money from the account,†states the vulnerability disclosure document.
 
REPORTED OVER ONE YEAR BUT STILL NO PATCH AVAILABLE
The critical vulnerability in PayPal was discovered about a year ago by Benjamin Kunz Mejri from Vulnerability Laboratory, and as a responsible researcher, he reported the flaw to the PayPal’s team, but the fix for the vulnerability is still not available. Also no bug bounty has been paid to him for the discovery and responsible disclosure of the bug.
 
According to the vulnerability disclosure document, the authentication restriction bypass vulnerability in PayPal online service has been assigned a high CVSS (Common Vulnerability Scoring System) base score of 6.2, but no identifier has been assigned to the bug.
 
VIDEO DEMONSTRATION
A video demonstration of the vulnerability has also been published by the researcher, showing how he intentionally enters the wrong username several times in order to have his PayPal account blocked. After account blocked, the online payment service requests him to answer some security question in order to validate the user.
 
 
But, despite answering those questions, the researcher used his iOS device and entered the correct combination of username and password, which easily granted him access to his blocked account, allowing him to initiate financial transactions.
 
PRODUCTS AFFECTED
The vulnerability affects the iOS mobile application for both iPhone and iPad, as it fails to check for the restriction flags that would not allow access to the blocked or temporarily blocked account. According to the researcher, the version 4.6.0 of the iOS app is affected, and the flaw is also working on the latest version 5.8.
 
An eBay owned company, PayPal provides a faster and safer way to pay and get paid. The service gives people simpler ways to send money without sharing financial information, with over 148 million active accounts in 26 currencies and across 193 markets, thereby processing more than 9 million payments daily.
 
                Add Rep and Leave a feedback

              Reputation is the green button in the down right corner on my post

do you understand            if you having fun?                  it's a rising sun                           it's a man killing                              what's that feelin'

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Check out what our members are saying

  • Our picks

×
×
  • Create New...