Home > Cyber News > PayPal Authentication Process Flaw Makes Blocked Accounts Accessible

PayPal Authentication Process Flaw Makes Blocked Accounts Accessible

A flaw in the filtering process of account restrictions via the mobile API makes blocked accounts accessible without any additional security details requested.

The typical security technique for such cases is to block the account and require an answer to one or many security questions if an incorrect username-password combination has been entered several times.
But, in this case, if the user switches to a mobile device and provides the correct details, the problem is eliminated.

Accessing Blocked PayPal Accounts from an iOS Device

PayPal Authentication Process Flaw Makes Blocked Accounts Accessible
There are other reasons for an account to get blocked, for example, to prevent crooks from accessing illicitly obtained funds.
The discovery of the flaw was made by Benjamin Kunz Mejri from Vulnerability Laboratory and was immediately reported to PayPal. The vulnerability was reported within the Bug Bounty campaign in March 2013 and has not been fixed so far.

The Vulnerability

The flaw was discovered in the iOS mobile application for iPad and iPhone. Both products do not check for restriction flags that would block access to the account. The affected version of the iOS application is 4.6.0. Reportedly the flaw is still active in the latest version 5.8.
According to the flaw report, the API doesn’t check a partial or a full account blocking. The only thing checked by the API is if the account exists or not. The blocked user can actually access his PayPal account and make transactions.

The Glitch Demonstrated in a Video

The discovery of the flaw has been supported with a video, demonstrating how the vulnerability works. The footage shows a person entering false credentials several times so the account would get blocked. As he is being requested to provide the answer to the security question, the user switches to an iOS device and provides the correct account details and thus gains access to the blocked account.

The flaw report states that the security vulnerability has a CVSS base score of 6.2, but there has been no identifier assigned to it.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share