PayPal Inc BB #85 MB iOS 4.6 - Auth Bypass Vulnerability
PayPal Security UID: Vxda0S
Vulnerability Laboratory ID (VL-ID):
Common Vulnerability Scoring System:
Product & Service Introduction:
PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money
transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally,
a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some
time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined
spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified
funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy
(for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your
PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a
PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary
funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards.
The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request
a transfer to their bank account.
PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it
charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency
used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient s account
type. In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies.
On October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its corporate headquarters are in San Jose, California, United
States at eBay s North First Street satellite office campus. The company also has significant operations in Omaha, Nebraska, Scottsdale,
Arizona, and Austin, Texas, in the United States, Chennai, Dublin, Kleinmachnow (near Berlin) and Tel Aviv. As of July 2007, across
Europe, PayPal also operates as a Luxembourg-based bank.
On March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), China s bankcard association, to allow Chinese consumers
to use PayPal to shop online.PayPal is planning to expand its workforce in Asia to 2,000 by the end of the year 2010.
Between December 4ñ9, 2010, PayPal services were attacked in a series of denial-of-service attacks organized by Anonymous in retaliation
(Copy of the Homepage: www.paypal.com) [http://en.wikipedia.org/wiki/PayPal]
Abstract Advisory Information:
The Vulnerability Laboratory Research Team discovered a security auth protection mechanism bypass vulnerability in the PayPal Inc iOS Mobile Application.
Vulnerability Disclosure Timeline:
2014-10-09: Public Disclosure (Vulnerability Laboratory)
Product: iOS Mobile Application - Banking 4.6.0
Technical Details & Description:
An auth restriction bypass vulnerability has been discovered in the official PayPal Inc mobile webapplication and api.
The vulnerability allows to bypass a filter or restrction of the online-service to get unauthorized paypal account access.
The security vulnerability is located in the mobile api auth procedure of the paypal online-service. The mobile app api does not
check for already restricted/blocked application accounts. Remote attackers are able to login through the mobile api with paypal
portal restriction to access account information or interact with the compromised account.
If a paypal user tries several times to login with a wrong password/user combination the paypal account will temporarily be closed
for security reasons. When this happens the user needs to answer a secret question to get the account open again. Even if the account
is temporarily closed it is possible to get access to the account via the paypal mobile app client through the API.
The client API checks only if the account exists, the API does not check a part- or full blocking of the account. It is possible for
the blocked user to get access to his paypal account and is able to make transactions and he can send money from the account. The mobile
iPhone / iPad Paypal App does need a security upgrade to ensure that the status of an account is also verified and how the App reacts when
such an event takes place. This would ensure that no one can have access via the mobile client to a blocked account. In the Paypal database
there are several preferences for an account to verify the status of the account. These preferences need to be used to check also the account
status on the mobile client API. There is another exception which drops a push message on iOS devices (iphone & ipad) which refers to the main
paypal website but it is only a temporary solution and no possibility to block account stable.
During the pentest the researcher revealed that he was able to access the blocked test account through the mobile application api. At the end the
researcher was able to interact through the mobile app by easily accessing the information of the paypal account email@example.com.
The security risk of the auth bypass restriction vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.2.
Exploitation of the vulnerability requires a restricted/blocked account of the paypal application without user interaction. Successful exploitation
of the issue results in auth restriction bypass through the official mobile paypal app api.
[+] PayPal Inc
[+] PayPal iOS App (iPhone & iPad) v4.6.0
[+] Login Verification – (Auth)
Proof of Concept (PoC):
The auth bypass restriction vulnerability can be exploited by remote attackers without user interaction but with low privileged application user account.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Site: PayPal Inc (www.paypal.com)
Test Account: firstname.lastname@example.org email@example.com
Mobile Client: https://itunes.apple.com/us/app/paypal/id283646709
#1 Manual steps to reproduce the issue with security question
1. Register a regular PayPal account linked to a banking account
2. Go to the login & provoke the ask for security questions after several wrong forced passwords login requests
3. It is also possible to do it when logged into the account and provoke via transaction cancels & co.
4. Now, try to login again and we see the "Security Question" module
5. We switch to our iphone or ipad device and download & install the new paypal mobile application v4.6.0
6. Open the mobile application on your ipad or iphone device and login to your account
Note: The security protection mechanism of the main paypal core application disallows to login
without the verification attempt of the security question module!
7. The application allows the user to login via the mobile paypal app api without auth cancel or sec question popup
8. We login successful!
9. Now, the attacker can handle transactions, send money, request money, add funds, change address or include new cards
10. Successful reproduced!
#2 Manual steps to reproduce the issue without security question
1. Install the application to your iOS device (ipad or iphone)
2. Register a paypal inc user account
3. Solve a transaction and provoke an incident that the account get blocked
4. Now, login to the ios device and start the paypal application
5. Include the blocked login credentials and press the login button
6. The service grants access through the mobile api without processing to drop any exception to prevent the access
Note: Now the attacker is able to request the stored data of the paypal user in the portal even if the
service is restricted accessable. Regular the service must block you like when you login to the portal
but in case of the issue the api grants the access because of missing value check.
Security Video Demonstration Description
The video shows two blocked accounts. The first is the firstname.lastname@example.org pp test account and the second is the email@example.com pp test account.
The first one is nulled and frozen and the second one has also been blocked. The video shows in the first steps both login profiles with are
unsuccessful. After providing to demonstrate that the firstname.lastname@example.org account is not allowed to access the portal we show how to unauthorized
access the account information even if the service has blocked to login through the main paypal. The researcher demonstrates how to bypass the
restricted account to get access and interact via api.
../Paypal Mobile API Auth Bypass Restriction.wmv
../1.jpg – 11.jpg
Solution - Fix & Patch:
The security vulnerability can be patched by a secure recognition of the validation procedure when
processing to request restriction values through api in the paypal account system.
The same exception that popup for the account email@example.com which is nulled needs to
prevent the same problem of the account firstname.lastname@example.org.
The account system itself should never allow to grant access for an account that has been restricted
in the main service that manages the paypal users. The bug does not only hurt the security policy it
is an infrastructure bug too.
The security risk of the protection mechanism bypass vulnerability via mobile api is estimated as high.
Credits & Authors:
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (email@example.com)
Disclaimer & Information:
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: firstname.lastname@example.org - email@example.com - firstname.lastname@example.org
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(email@example.com or firstname.lastname@example.org) to get a permission.
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
VULNERABILITY LABORATORY RESEARCH TEAM