A flaw in the filtering process of account restrictions via the mobile API makes blocked accounts accessible without any additional security details requested.
The typical security technique for such cases is to block the account and require an answer to one or many security questions if an incorrect username-password combination has been entered several times.
But, in this case, if the user switches to a mobile device and provides the correct details, the problem is eliminated.
Accessing Blocked PayPal Accounts from an iOS Device
There are other reasons for an account to get blocked, for example, to prevent crooks from accessing illicitly obtained funds.
The discovery of the flaw was made by Benjamin Kunz Mejri from Vulnerability Laboratory and was immediately reported to PayPal. The vulnerability was reported within the Bug Bounty campaign in March 2013 and has not been fixed so far.
The Vulnerability
The flaw was discovered in the iOS mobile application for iPad and iPhone. Both products do not check for restriction flags that would block access to the account. The affected version of the iOS application is 4.6.0. Reportedly the flaw is still active in the latest version 5.8.
According to the flaw report, the API doesn’t check a partial or a full account blocking. The only thing checked by the API is if the account exists or not. The blocked user can actually access his PayPal account and make transactions.
The Glitch Demonstrated in a Video
The discovery of the flaw has been supported with a video, demonstrating how the vulnerability works. The footage shows a person entering false credentials several times so the account would get blocked. As he is being requested to provide the answer to the security question, the user switches to an iOS device and provides the correct account details and thus gains access to the blocked account.
The flaw report states that the security vulnerability has a CVSS base score of 6.2, but there has been no identifier assigned to it.