PayPal Patches ‘Basic’ Security Flaw in iPhone App

PayPal patched a security hole in its iPhone application that could let hackers steal user passwords and access their financial accounts, according to the Wall Street Journal.

The vulnerability, where the app wasn’t confirming the authenticity of the PayPal Web site, was uncovered by digital forensics and security research firm viaForensics. Not validating the site’s digital security certificate exposes the app to “man-in-the-middle” attacks where hackers can steal usernames, passwords, and account data, said viaForensics.

Users can download the new version from Apple’s iPhone App Store to fix the bug. Version 3.0.1 includes “an important security update,” according to the app store page. The flaw does not exist on the Android app or on the main Web site.

PayPal verified the vulnerability and rushed out the new version immediately. Even though the online payments company said no users had been affected by the security hole, it also said users would be reimbursed for any and all fraudulent activity.

The authentication failure affects only users connecting over unsecured wireless networks, according to the WSJ article. Basically, if a hacker was connected to the same network as the user and put up a fake PayPal site, the user could land on the phishing site and not be aware of it.

While the payoff for this kind of an attack is not very big, the tools to set this up are readily available. This misstep is doubly embarrassing for a company that bases its business on the security of its products and is aggressively moving into the mobile payments space.

The security researcher who found and reported the flaw used viaForecast’s free appWatchdog service, which tests mobile applications for insecure transmissions or storage of sensitive user data. The service checks how securely the app handles usernames and passwords, said viaForensics.

The appWatchdog service scanned both PayPal’s iPhone and Android apps on Nov. 3. The iPhone app failed on three out of four measures: securely storing application data on the device, securely storing usernames, and “additional” security tests, according to viaForensics. It passed on securely storing the password.

When the data is not securely stored on the phone itself, all the financial information that was viewed via the app can now be recovered without having to break into the account, said viaForensics.

The lack of security in mobile apps was highlighted recently by a study published by a Bucknell University network administrator, who found that 68 percent of apps listed in the “most popular” and “top free” categories on the app store transmitted personal information in plain text.

The free iPhone app from PayPal, which has been downloaded more than four million times, allows users to send and receive money, snap a photo of a check to add money into their accounts, check balances, donate to charity, withdraw funds, and view past transactions.

PayPal has had some difficulties recently, with two site outages on Oct. 29. Each outage lasted less than an hour and was the result of a network hardware failure, according to PayPal. Even three days later, however, users complained of missing account data, including credit card information and transaction history, on the PayPal blog.