Benjamin Kunz Mejri, CEO of the Vulnerability Lab, discovered a method to bypass the authentication processes that mobile apps use to connect to PayPal, even if the control identity two factors (2FA) is enabled.
When a user attempts to mistakenly affix credentials several times on the PayRal website from his computer, the company blocks the account and asks him to call a company representative to verify his identity or to open a ticket.
It is a standard procedure, and the user will not be able to have access in his account until he follows the steps we described.
However, Mr Mejri found that through PayPal's Android and iOS applications, users were able to bypass the certification process and gain access to the "blocked" account.
"Even if the account is blocked the user can have access through the API used by application of his mobile, using the existing cookies", says Mejri.
According to the researcher, when he contacted Rapay to announce his findings, the company's employees were unable to replicate his steps to ascertain vulnerability.
After waiting for four months, Mejri published his findings.
Watch the video