Security Experts:

PayPal Mobile API Flaw Allows Security Feature Bypass

A researcher has identified a vulnerability in the PayPal mobile API that can be exploited by an attacker to bypass a security feature that's designed to prevent account takeovers.

For security reasons, PayPal accounts are temporarily blocked if someone enters incorrect passwords several times. In order to have the account unblocked, the user must answer a series of security questions.

While this security feature is enforced in the regular Web application, the mobile API doesn't check if the account is restricted before allowing the user to attempt to log in again, Benjamin Kunz Mejri, Vulnerability Lab founder and the one who identified the issue, revealed in an advisory published last week.

"The client API checks only if the account exists, the API does not check a part- or full blocking of the account. It is possible for the blocked user to get access to his PayPal account and is able to make transactions and he can send money from the account. The mobile iPhone / iPad Paypal app does need a security upgrade to ensure that the status of an account is also verified and how the app reacts when such an event takes place," Vulnerability Lab wrote in its advisory.

The flaw has been tested and confirmed on the iOS app, but Kunz Mejri told SecurityWeek that the Android version of the PayPal application is also impacted.

The security hole was reported to PayPal back in March 2013, but it's still unfixed despite several versions of the app being released since. Kunz Mejri said PayPal initially had problems with reproducing the vulnerability and denied that an issue existed. However, the payment processor confirmed the flaw after being provided a proof-of-concept video.

Orginally, no reward had been paid out for the vulnerability because the company first believed it was out of scope, but Kunz Mejri believes it should qualify for a bounty.

PayPal told SecurityWeek that it is working on addressing the vulnerability, and later told SecurityWeek that it would reward the researcher for reporting the security issue.

"Through the PayPal Bug Bounty Program, Vulnerability Labs made us aware of a potential way to bypass security questions when people login to PayPal mobile app. Our customers' security is important to us and we are working to resolve this issue. We want to emphasize that we do not have any evidence this finding impacted the security of PayPal accounts," PayPal said in an emailed statement.

"The finding identified by the researcher is related to an extra layer of security that we enable when we suspect suspicious activity on a customer's account. We have additional security controls in place to prevent criminals from trying multiple passwords when attempting to gain access to a person's account. We also have extensive fraud and risk detection technologies and dedicated security teams that help keep our customers' accounts secure," the company noted.

*10/17- Updated to include that PayPal would reward the researcher for reporing the issue

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.