Authentication restriction bypass vulnerability in Payment service provider PayPal which allow an attacker to bypass a filter of account restrictions through the mobile API to get unauthorized access to a blocked account without providing additional security details. The vulnerability has been reported in 2013, but PayPal has not fixed it as of now.
What is the flow ?
When a PayPal user enters the wrong username or password pair many times to access the account, then for the security reasons, access to the account is restricted until the user gives the correct answer to security question set by the PayPal user.
However, switching to a mobile device and trying accessing the temporarily closed PayPal account with the right credentials through an official PayPal mobile app client through the API, the user will get access to the account without providing any additional security detail.
What is wrong with that ?
In normal course of operations there is nothing wrong with the mobile bypassing the security API and allowing the PayPal user to access the account by providing the right credentials but it can also be used in case of blocked accounts. For some security reasons, such as for preventing a fraudster from reaching illlegally obtained funds, PayPal could temporarily block users to access their PayPal account. In such cases, a remote attacker can login through the mobile API to access account information or interact with the compromised account.
The mobile API checks only if the user account exists, API does not check a part- or full blocking of the account. If any user got the access to the blocked account then it is possible for the blocked user to get access to his PayPal account and is able to make transactions and can send money from the account.
Vulnerability Reported in 2013, but still not Patched Yet
The critical vulnerability was discovered in 2013 by Benjamin Kunz Mejri from Vulnerability Laboratory. As a responsible researcher, Mejri reported the vulnerability to the PayPal’s team through the Bug Bounty Program, PayPal is yet to patch the flaw.
According to the vulnerability disclosure document, the authentication restriction bypass vulnerability in PayPal has been assigned a high CVSS (Common Vulnerability Scoring System) base score of 6.2, but no identifier has been assigned to the bug. No bounty has been paid for the discovery to Mejri by PayPal.
Video demonstration of the flaw :
A video demonstrating the vulnerability has also been published by the researcher, showing how he intentionally enters the wrong usernames in order to have his account blocked. After several attempts, the online payment service requests him to answer some security question in order to validate the user.
But, rather then answering those questions, the researcher switches to the iOS device and types the correct combination of username and password, which easily grant him access to his blocked account, allowing him to initiate financial transactions.
Products Affected by the Flow
The critical vulnerability affects the iOS mobile application for both iPhone and iPad, as it fails to check for the restriction flags that would deny access to the blocked account. In the report of the glitch, Mejri says that the version 4.6.0 of the Paypal iOS app is affected, and the flaw is also working on the latest version the App Store Paypal 5.8.