Security researchers&white hat Kunz Mejri recently found out about Paypal mobile payment API the vulnerability, an attacker could exploit the vulnerability to bypass Paypal's anti-theft Number Lock design.
The use of mobile payment API to bypass account locking design
PayPal's anti-theft Number Lock design is this: if someone repeatedly enters an incorrect password, the PayPal account will be temporarily blocked. To unblocking the account, the user must answer a series of security questions.
This is a safety function only in the conventional Web applications, but security researchers&white hat Kunz Mejri found: the mobile API does not check whether the account is terminated, directly allows the user to login again
Benjamin Kunz Mejri is a vulnerability lab(Vulnerability Lab)founder, is also found to the problems of the people, he last week published this vulnerability.
“The Client API will only check whether the account exists, and does not check whether the account is blocked, which makes the blocked user is able to access a PayPal account, and make transfers and other transactions, he can send money from the account, iPhone / iPad Paypal app needs to be updated, to ensure that the application can verify the account status, in order to prevent the account theft happening.”
The vulnerability has been tested on iOS application is verified, but Kunz Mejri said Paypal Android version of the app is also affected.