Benjamin Kunz Mejri, CEO of the Vulnerability Lab, discovered a method to bypass the authentication processes that mobile apps use to log into the PayPal, even if the control two-factor authentication (2FA) is enabled.
When a user attempts to mistakenly affix credentials several times on the PayRal website from his computer, the company blocks the account and asks him to call a company representative to verify his identity or to open a ticket.
It is a typical process, and the user will not be able to access his account until the steps we have described follow.
Ωστόσο, ο κ Mejri διαπίστωσε ότι από τις εφαρμογές της PayPal για Android και iOS, οι χρήστες μπορούσαν να παρακάμπτουν τη διαδικασία πιστοποίησης και να αποκτήσουν πρόσβαση στο "μπλοκαρισμένο" λογαριασμό.
"Ακόμα και αν ο account είναι μπλοκαρισμένος ο χρήστης μπορεί να έχει πρόσβαση μέσω του API που χρησιμοποιεί η εφαρμογή του κινητού του, χρησιμοποιώντας τα υπάρχοντα cookies", αναφέρει ο Mejri.
According to the researcher, when he contacted Rapay to announce his findings, the company's employees were unable to replicate his steps to ascertain vulnerability.
After waiting for four months, Mejri published his findings.
Watch the video