PayPal Inc BB #85 MB iOS 4.6 - Authentication Bypass









Document Title:
PayPal Inc BB #85 MB iOS 4.6 - Auth Bypass Vulnerability

References (Source):

PayPal Security UID: Vxda0S



Release Date:

Vulnerability Laboratory ID (VL-ID):

Common Vulnerability Scoring System:

Product & Service Introduction:
PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money 
transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally, 
a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some 
time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined 
spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified 
funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy 
(for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your 
PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a 
PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary 
funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards.
The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request 
a transfer to their bank account.

PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it 
charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency 
used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient s account 
type. In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies.

On October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its corporate headquarters are in San Jose, California, United 
States at eBay s North First Street satellite office campus. The company also has significant operations in Omaha, Nebraska, Scottsdale, 
Arizona, and Austin, Texas, in the United States, Chennai, Dublin, Kleinmachnow (near Berlin) and Tel Aviv. As of July 2007, across 
Europe, PayPal also operates as a Luxembourg-based bank.

On March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), China s bankcard association, to allow Chinese consumers 
to use PayPal to shop online.PayPal is planning to expand its workforce in Asia to 2,000 by the end of the year 2010.
Between December 4ñ9, 2010, PayPal services were attacked in a series of denial-of-service attacks organized by Anonymous in retaliation 
for PayPal s decision to freeze the account of WikiLeaks citing terms of use violations over the publication of leaked US diplomatic cables.

(Copy of the Homepage: []

Abstract Advisory Information:
The Vulnerability Laboratory Research Team discovered a security auth protection mechanism bypass vulnerability in the PayPal Inc iOS Mobile Application.

Vulnerability Disclosure Timeline:
2014-10-09:	Public Disclosure (Vulnerability Laboratory)

Discovery Status:

Affected Product(s):
PayPal Inc
Product: iOS Mobile Application - Banking 4.6.0 

Exploitation Technique:

Severity Level:

Technical Details & Description:
An auth restriction bypass vulnerability has been discovered in the official PayPal Inc mobile webapplication and api. 
The vulnerability allows to bypass a filter or restrction of the online-service to get unauthorized paypal account access.

The security vulnerability is located in the mobile api auth procedure of the paypal online-service. The mobile app api does not 
check for already restricted/blocked application accounts. Remote attackers are able to login through the mobile api with paypal 
portal restriction to access account information or interact with the compromised account.

If a paypal user tries several times to login with a wrong password/user combination the paypal account will temporarily be closed 
for security reasons. When this happens the user needs to answer a secret question to get the account open again. Even if the account 
is temporarily closed it is possible to get access to the account via the paypal mobile app client through the API. 

The client API checks only if the account exists, the API does not check a part- or full blocking of the account. It is possible for 
the blocked user to get access to his paypal account and is able to make transactions and he can send money from the account. The mobile 
iPhone / iPad Paypal App does need a security upgrade to ensure that the status of an account is also verified and how the App reacts when 
such an event takes place. This would ensure that no one can have access via the mobile client to a blocked account. In the Paypal database 
there are several preferences for an account to verify the status of the account. These preferences need to be used to check also the account 
status on the mobile client API. There is another exception which drops a push message on iOS devices (iphone & ipad) which refers to the main 
paypal website but it is only a temporary solution and no possibility to block account stable.

During the pentest the researcher revealed that he was able to access the blocked test account through the mobile application api. At the end the 
researcher was able to interact through the mobile app by easily accessing the information of the paypal account

The security risk of the auth bypass restriction vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.2. 
Exploitation of the vulnerability requires a restricted/blocked account of the paypal application without user interaction. Successful exploitation 
of the issue results in auth restriction bypass through the official mobile paypal app api.

Vulnerable Service(s):
				[+] PayPal Inc
Vulnerable Software(s):
				[+] PayPal iOS App (iPhone & iPad) v4.6.0
Vulnerable Module(s):
				[+] API
Affected Module(s):
				[+] Login Verification – (Auth)

Proof of Concept (PoC):
The auth bypass restriction vulnerability can be exploited by remote attackers without user interaction but with low privileged application user account. 
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

Site: PayPal Inc (
Test Account:
Mobile Client:

#1 Manual steps to reproduce the issue with security question
1. Register a regular PayPal account linked to a banking account
2. Go to the login & provoke the ask for security questions after several wrong forced passwords login requests
3. It is also possible to do it when logged into the account and provoke via transaction cancels & co.
4. Now, try to login again and we see the "Security Question" module
5. We switch to our iphone or ipad device and download & install the new paypal mobile application v4.6.0
6. Open the mobile application on your ipad or iphone device and login to your account
Note: The security protection mechanism of the main paypal core application disallows to login
without the verification attempt of the security question module!
7. The application allows the user to login via the mobile paypal app api without auth cancel or sec question popup
8. We login successful!
9. Now, the attacker can handle transactions, send money, request money, add funds, change address or include new cards
10. Successful reproduced!
#2 Manual steps to reproduce the issue without security question
1. Install the application to your iOS device (ipad or iphone)
2. Register a paypal inc user account
3. Solve a transaction and provoke an incident that the account get blocked
4. Now, login to the ios device and start the paypal application
5. Include the blocked login credentials and press the login button
6. The service grants access through the mobile api without processing to drop any exception to prevent the access

Note: Now the attacker is able to request the stored data of the paypal user in the portal even if the
service is restricted accessable. Regular the service must block you like when you login to the portal
but in case of the issue the api grants the access because of missing value check.

Security Video Demonstration Description
The video shows two blocked accounts. The first is the pp test account and the second is the pp test account. 
The first one is nulled and frozen and the second one has also been blocked. The video shows in the first steps both login profiles with are
unsuccessful. After providing to demonstrate that the account is not allowed to access the portal we show how to unauthorized 
access the account information even if the service has blocked to login through the main paypal. The researcher demonstrates how to bypass the
restricted account to get access and interact via api.

Reference(s): Links

		../Paypal Mobile API Auth Bypass Restriction.wmv

		../1.jpg – 11.jpg
		../1.png –

Solution - Fix & Patch:
The security vulnerability can be patched by a secure recognition of the validation procedure when
processing to request restriction values through api in the paypal account system.
The same exception that popup for the account which is nulled needs to
prevent the same problem of the account
The account system itself should never allow to grant access for an account that has been restricted
in the main service that manages the paypal users. The bug does not only hurt the security policy it
is an infrastructure bug too.

Security Risk:
The security risk of the protection mechanism bypass vulnerability via mobile api is estimated as high.

Credits & Authors:
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (

Disclaimer & Information:
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either 
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers 
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even 
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation 
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break 
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:   	-			       		-
Contact: 	- 	       		-
Section:	 	- 		       		-
Social:!/vuln_lab 		- 	       		-
Feeds:	-   		-
Programs:  	-	-

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
( or to get a permission.

				Copyright © 2014 | Vulnerability Laboratory [Evolution Security]