Count as vulnerability? PayPal account locked is to bypass the controversial-vulnerability warning-the black bar safety net

ID MYHACK58:62201454859
Type myhack58
Reporter 佚名
Modified 2014-10-21T00:00:00


Security researchers&white hat Kunz Mejri recently found out about Paypal mobile payment API the vulnerability, an attacker could exploit the vulnerability to bypass Paypal's anti-theft Number Lock design.

The use of mobile payment API to bypass account locking design

PayPal's anti-theft Number Lock design is this: if someone repeatedly enters an incorrect password, the PayPal account will be temporarily blocked. To unblocking the account, the user must answer a series of security questions.

This is a safety function only in the conventional Web applications, but security researchers&white hat Kunz Mejri found: the mobile API does not check whether the account is terminated, directly allows the user to login again

Benjamin Kunz Mejri is a vulnerability lab(Vulnerability Lab)founder, is also found to the problems of the people, he last week published this vulnerability.

“The Client API will only check whether the account exists, and does not check whether the account is blocked, which makes the blocked user is able to access a PayPal account, and make transfers and other transactions, he can send money from the account, iPhone / iPad Paypal app needs to be updated, to ensure that the application can verify the account status, in order to prevent the account theft happening.”

The vulnerability has been tested on iOS application is verified, but Kunz Mejri said Paypal Android version of the app is also affected.

[1] [2] next