To Customer Support To Customer Support

Flaw in PayPal Authentication Process Allows Access to Blocked Accounts

  • 9 October 2014
  • 5 replies
  • 656 views
Jasper_The_Rasper
Rank
Userlevel 7
Badge +54
Considering the fact that was reported in MARCH LAST YEAR it is far too long for a vulnerability like this to go without a fix.
 
Vulnerability has been reported in March, 2013
By Ionut Ilascu on October 9th, 2014 15:06 GMT "A vulnerability in PayPal’s filtering of account restrictions through the mobile API allows an individual access to a blocked account without providing additional security details.
When a user enters the wrong username and password pair several times, access to the account is restricted on a computer until the answer to a set security question is provided.

However, switching to a mobile device eliminates the problem and the account can be accessed with the right credentials. 

Blocked accounts can be accessed from iOS devices

Users can be denied access to their PayPal account for other reasons too, such as for preventing a fraudster from reaching illicitly obtained funds, Benjamin Kunz Mejri from Vulnerability Laboratory told us via email." Full Article and link to video

5 replies

R
Rank
Userlevel 7
What is PayPal problem?? That should have been fixed a year ago, don't they care about their customers???
Ssherjj
Rank
Userlevel 7
Badge +62
@Antus67 wrote:
What is PayPal problem?? That should have been fixed a year ago, don't they care about their customers???
Hello Webrooters,
 
I agree Anthony and Jasper!
 
What do I need to do now cancel my Paypal account. Unbelievable lack of protection which PayPal has known about this since March?
 
:@
:
 
 
Windows Insider, iMac 2021 27 in i5 Retina 5, iMac OS Sonoma (14.3.1}, Security: iPads, W 10 & (VM:15), ALIENWARE 17R4, W10 Workstation, ALIENWARE 15 R6, W11, Webroot® SecureAnywhere™ Internet Security Complete (Android Samsung Galaxy Ultra Note 23, Webroot Beta Tester. Security
Jasper_The_Rasper
Rank
Userlevel 7
Badge +54
@ wrote:
@Antus67 wrote:
What is PayPal problem?? That should have been fixed a year ago, don't they care about their customers???
Hello Webrooters,
 
I agree Anthony and Jasper!
 
What do I need to do now cancel my Paypal account. Unbelievable lack of protection which PayPal has known about this since March?
 
:@
:
 
 
That is March LAST YEAR @ 
Ssherjj
Rank
Userlevel 7
Badge +62
@ wrote:
@ wrote:
@Antus67 wrote:
What is PayPal problem?? That should have been fixed a year ago, don't they care about their customers???
Hello Webrooters,
 
I agree Anthony and Jasper!
 
What do I need to do now cancel my Paypal account. Unbelievable lack of protection which PayPal has known about this since March?
 
:@
:
 
 
That is March LAST YEAR @ 
Thanks Jasper thats what I meant..I did read that!:S
Windows Insider, iMac 2021 27 in i5 Retina 5, iMac OS Sonoma (14.3.1}, Security: iPads, W 10 & (VM:15), ALIENWARE 17R4, W10 Workstation, ALIENWARE 15 R6, W11, Webroot® SecureAnywhere™ Internet Security Complete (Android Samsung Galaxy Ultra Note 23, Webroot Beta Tester. Security
Jasper_The_Rasper
Rank
Userlevel 7
Badge +54
A bit more information.
by Pierluigi Paganini on October 11th, 2014 
Excerpt.
 
"The experts discovered that at this point, even if the access to the account has been restricted by PayPal, the user simply switching to a mobile device is able to complete the authentication procedure without restrictions, despite his account has been blocked.
Resuming the user with right credentials via an official PayPal mobile app client could access to his account even if it has been blocked for security reasons.
The client API checks only if the account exists, the API does not check a part- or full blocking of the account. It is possible for the blocked user to get access to his PayPal account and is able to make transactions and he can send money from the account,” reports the advisory issued by the Vulnerability Laboratory Research Team which discovered the authentication vulnerability.
The security risk of the auth bypass restriction vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.2. Exploitation of the vulnerability requires a restricted/blocked account of the paypal application without user interaction. Successful exploitation of the issue results in auth restriction bypass through the official mobile paypal app api. Vulnerable Service(s): [+] PayPal Inc Vulnerable Software(s):[+] PayPal iOS App (iPhone & iPad) v4.6.0 Vulnerable Module(s):
[+] API Affected Module(s):
[+] Login Verification – (Auth)" Full Article
 
 

Reply


Terms & Conditions

© 2004 - Webroot Inc.

We have recently updated our Privacy Policies. We encourage you to read the full terms here.