PayPal payment service provider is vulnerable to an unauthorized restriction bypass vulnerability, which could allow an attacker to bypass restrictions or gain unauthorized access to blocked PayPal accounts.
The vulnerability in PayPal resides in the mobile API authentication procedure of PayPal, which only checks if the account exists, not if any restrictions are present.
How the Vulnerability Works
If a PayPal user tried to log into their account several times with the wrong username and password combination, PayPal will automatically lock the account for security reasons. After enough failed login attempts, PayPal will require the user to answer security questions set in place on the account to verify the users identity. According to the flaw, when switching to a mobile device, the security questions are eliminated and users can access their account with their credentials.
What is wrong with this?
There is nothing wrong with a mobile devices bypassing the security API and allowing users access to their account upon correct credentials input. In the disclosed PayPal vulnerability, it allows users access to locked and blocked accounts. PayPal often blocks accounts for a number of reasons, including theft prevention or blocking fraudsters from reaching their funds.
“The client API checks only if the account exists, the API does not check a part- or full blocking of the account. It is possible for the blocked user to get access to his PayPal account and is able to make transactions and he can send money from the account,” states the vulnerability disclosure document.
Year Old Vulnerability
The vulnerability was disclosed by Benjamin Kunz Mejri, a research team member at the Vulnerability Laboratory. Merjri notified PayPal through their Bug Bounty program back in March of 2013, but PayPal has yet to take any action towards the flaw.
The mobile authentication flaw appears present for both iPhone and iPad devices, as it fails to check for restriction flags that would rather have blocked access to the account. Mejri says that version 4.6.0 of the PayPal iOS App is currently vulnerable. The PayPal mobile application is currently at version 5.8, but Mejri has confirmed that flaw is still present.
Mejri published a video demonstration executing the flaw, showing him intentionally entering the wrong username and password combination in order to have the account locked. After several attempts, PayPal requests Mejri answer the security questions on the account set in place to authenticate or validate his identity. Merji then moves over to an iOS device and types in the correct credentials, granting him instant access to the same blocked account, further allowing him to transfer funds and interact with the account. In the vulnerability disclosure report, the security flaw is said to have a high Common Vulnerability Scoring System (CVSS) score of 6.2, but no identifier has been assigned. PayPal has also failed to pay Merji his Bug Bounty reward. Below is Merji’s proof-of-concept video demonstration: