U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Hacking

Authentication vulnerability in PayPal mobile API allows access to restricted Accounts

An Authentication vulnerability in PayPal mobile API, discovered more than one year ago, allows access to restricted Accounts. Another authentication flaw affects PayPal mobile API, an attacker exploiting it could gain access to Blocked Accounts. The authentication restriction bypass vulnerability, resides in the mobile API authentication procedure of the PayPal online-service, according to Vulnerability Laboratory […]

Authentication vulnerability in PayPal mobile API allows access to restricted Accounts

An Authentication vulnerability in PayPal mobile API, discovered more than one year ago, allows access to restricted Accounts.

Another authentication flaw affects PayPal mobile API, an attacker exploiting it could gain access to Blocked Accounts. The authentication restriction bypass vulnerability, resides in the mobile API authentication procedure of the PayPal online-service, according to Vulnerability Laboratory Research Team which discovered the flaw.

When a user tries several times to access the PayPal service providing wrong a password the access to its account is restricted by PayPal to avoid unauthorized accesses, at this point it is requested to the legitimate user to provide the answers to a number of security questions he has provided in the past.

The experts discovered that at this point, even if the access to the account has been restricted by PayPal, the user simply switching to a mobile device is able to complete the authentication procedure without restrictions, despite his account has been blocked.

Resuming the user with right credentials via an official PayPal mobile app client could access to his account even if it has been blocked for security reasons.

The client API checks only if the account exists, the API does not check a part- or full blocking of the account. It is possible for the blocked user to get access to his PayPal account and is able to make transactions and he can send money from the account,” reports the advisory issued by the Vulnerability Laboratory Research Team which discovered the authentication vulnerability.

The security risk of the auth bypass restriction vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.2. Exploitation of the vulnerability requires a restricted/blocked account of the paypal application without user interaction. Successful exploitation of the issue results in auth restriction bypass through the official mobile paypal app api. Vulnerable Service(s): [+] PayPal Inc Vulnerable Software(s):
[+] PayPal iOS App (iPhone & iPad) v4.6.0 Vulnerable Module(s):
[+] API Affected Module(s):
[+] Login Verification – (Auth)

At this point the attack scenario is very scaring, PayPal could temporarily denies the access to a legitimate user while a remote attacker which has the account credentials could “login through the mobile API with PayPal portal restriction to access account information or interact with the compromised account.”

 

paypal authentication vulnerability

 

The bad news is that the authentication vulnerability has been reported over one year ago by Benjamin Kunz Mejri from Vulnerability Laboratory, but it is still present in the PayPal authentication service.

Another disconcerting aspect of the story is that the researcher hasn’t received any bug bounty for the discovery of the flaw.

Below a video Proof of concept for the authentication vulnerability in the PayPal service.

 

Let’s see what happen now!

Pierluigi Paganini

(Security Affairs –  PayPal, authentication vulnerability)