Vulnerability has been reported in March, 2013

Oct 9, 2014 15:06 GMT  ·  By

A vulnerability in PayPal’s filtering of account restrictions through the mobile API allows an individual access to a blocked account without providing additional security details.

When a user enters the wrong username and password pair several times, access to the account is restricted on a computer until the answer to a set security question is provided.

However, switching to a mobile device eliminates the problem and the account can be accessed with the right credentials.

Blocked accounts can be accessed from iOS devices

Users can be denied access to their PayPal account for other reasons too, such as for preventing a fraudster from reaching illicitly obtained funds, Benjamin Kunz Mejri from Vulnerability Laboratory told us via email.

He is attributed the discovery of the vulnerability, which was reported in a responsible manner to PayPal. As per the disclosure timeline, the researcher notified the concerned parties through the Bug Bounty program in March 2013, and a fix is not currently available, Kunz Mejri told us.

The affected product is the iOS mobile application for both iPhone and iPad, as it fails to check for restriction flags that would deny access to the account.

In the report of the glitch, Mejri says that version 4.6.0 of the iOS app is affected. At the moment, the latest version in the AppStore is 5.8, but the researcher has confirmed that the flaw is still working.

“The client API checks only if the account exists, the API does not check a part- or full blocking of the account. It is possible for the blocked user to get access to his PayPal account and is able to make transactions and he can send money from the account,” the vulnerability disclosure report says.

Flaw demonstrated in video

A video demonstrating the flaw has been published, showing how the researcher intentionally enters the wrong username in order to have the account blocked.

After several attempts, the service requests the answer to a security question in order to validate the user.

Then the researcher switches to the iOS device and types the correct credentials, which grant him access to the blocked account, allowing him to initiate financial transactions.

In the disclosure document, it is said that this security glitch is estimated to have a high CVSS (Common Vulnerabilities Scoring System) base score of 6.2, but no identifier has been assigned to it.

No bounty has been paid for the discovery and responsible disclosure of the bug.