Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



PayPal Mobile API Flaw Allows Security Feature Bypass

A researcher has identified a vulnerability in the PayPal mobile API that can be exploited by an attacker to bypass a security feature that’s designed to prevent account takeovers.

A researcher has identified a vulnerability in the PayPal mobile API that can be exploited by an attacker to bypass a security feature that’s designed to prevent account takeovers.

For security reasons, PayPal accounts are temporarily blocked if someone enters incorrect passwords several times. In order to have the account unblocked, the user must answer a series of security questions.

While this security feature is enforced in the regular Web application, the mobile API doesn’t check if the account is restricted before allowing the user to attempt to log in again, Benjamin Kunz Mejri, Vulnerability Lab founder and the one who identified the issue, revealed in an advisory published last week.

“The client API checks only if the account exists, the API does not check a part- or full blocking of the account. It is possible for the blocked user to get access to his PayPal account and is able to make transactions and he can send money from the account. The mobile iPhone / iPad Paypal app does need a security upgrade to ensure that the status of an account is also verified and how the app reacts when such an event takes place,” Vulnerability Lab wrote in its advisory.

The flaw has been tested and confirmed on the iOS app, but Kunz Mejri told SecurityWeek that the Android version of the PayPal application is also impacted.

The security hole was reported to PayPal back in March 2013, but it’s still unfixed despite several versions of the app being released since. Kunz Mejri said PayPal initially had problems with reproducing the vulnerability and denied that an issue existed. However, the payment processor confirmed the flaw after being provided a proof-of-concept video.

Orginally, no reward had been paid out for the vulnerability because the company first believed it was out of scope, but Kunz Mejri believes it should qualify for a bounty.

Advertisement. Scroll to continue reading.

PayPal told SecurityWeek that it is working on addressing the vulnerability, and later told SecurityWeek that it would reward the researcher for reporting the security issue.

“Through the PayPal Bug Bounty Program, Vulnerability Labs made us aware of a potential way to bypass security questions when people login to PayPal mobile app. Our customers’ security is important to us and we are working to resolve this issue. We want to emphasize that we do not have any evidence this finding impacted the security of PayPal accounts,” PayPal said in an emailed statement.

“The finding identified by the researcher is related to an extra layer of security that we enable when we suspect suspicious activity on a customer’s account. We have additional security controls in place to prevent criminals from trying multiple passwords when attempting to gain access to a person’s account. We also have extensive fraud and risk detection technologies and dedicated security teams that help keep our customers’ accounts secure,” the company noted.

*10/17- Updated to include that PayPal would reward the researcher for reporing the issue

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.