14 DAY TRIAL // PayPal has released a security update to its iPhone application after a serious vulnerability, enabling Man-in-the-Middle (MitM) attacks, was identified by researchers.
The issue was discovered by a Chicago-based security company called viaForensics, which provides a free mobile applications testing service dubbed appWatchdog.
The service tests if applications use two-factor authentication, if they store usernames and passwords securely, and if they transmit sensitive data securely over the Internet.
According to the findings, PayPal's iPhone app failed to properly validate the security certificate normally used by the company's website.
This serious oversight allows an attacker to spoof network traffic and pose as paypal.com, in order to trick victims into exposing their login credentials.
However, the likelihood of a real-life compromise is fairly low, because this MitM attack requires a lot of determination.
The attacker needs to monitor an open wireless network for potential victims who access PayPal via the iPhone app.
PayPal provides mobile applications for devices running iOS, Android or BlackBerry OS, which allow users to send money, withdraw funds, check their balance and manage their accounts.
According to the iTunes App Store, the fixed version of PayPal's iPhone application is 3.0.1. viaForensics also tested the Android variant, but no security issues were identified.
"To my knowledge it has not affected anybody. We've never had an issue with our app until now," a PayPal spokeswoman told the Wall Street Journal.
She also noted that the company confirmed the vulnerability on Tuesday night and submitted a new version of the application to Apple yesterday.
The new version's change log doesn't go into details about the problem and only reads: "includes an important security update."
PayPal is not the only financial services company to have a security flaw discovered in their mobile application. Back in July, we reported that Citigroup also patched a serious security hole in their iPhone app.