Benjamin Kunz Mejri, Chief Executive Officer Vulnerability Lab, ανακάλυψε μια μέθοδο παράκαμψης των διαδικασιών πιστοποίησης που χρησιμοποιούν κινητές εφαρμογές για να συνδεθούν στην PayPal, ακόμα και αν ο έλεγχος identity two (2FA) is enabled.
When a user attempts to mistakenly affix credentials several times on the PayRal website from his computer, the company blocks the account and asks him to call a company representative to verify his identity or to open a ticket.
It is a standard procedure, and the user will not be able to have access in his account until he follows the steps we described.
However, Mr Mejri found that through PayPal's Android and iOS applications, users were able to bypass the certification process and gain access to the "blocked" account.
“Ακόμα και αν ο λογαριασμός είναι μπλοκαρισμένος ο χρήστης μπορεί να έχει πρόσβαση μέσω του API που χρησιμοποιεί η εφαρμογή του κινητού του, χρησιμοποιώντας τα υπάρχοντα cookies”, says Mejri.
According to the researcher, when he contacted Rapay to announce his findings, the company's employees were unable to replicate his steps to ascertain vulnerability.
After waiting for four months, Mejri published his findings.
Watch the video