Benjamin Kunz Mejri, CEO of Vulnerability Lab, discovered a method to bypass the authentication processes that mobile apps use to log into PayPal, even if the verification ID cards two factors (2FA) is enabled.
When a user attempts to mistakenly affix credentials several times on the PayRal website from his computer, the company blocks the account and asks him to call a company representative to verify his identity or to open a ticket.
It is a typical process, and the user will not be able to access his account until the steps we have described follow.
However, Mr Mejri found that through PayPal's Android and iOS applications, users were able to bypass the certification process and gain access to the "blocked" account.
“Ακόμα και αν ο λογαριασμός είναι μπλοκαρισμένος ο χρήστης μπορεί να έχει πρόσβαση μέσω του API που uses its application mobile του, χρησιμοποιώντας τα υπάρχοντα cookies”, says Mejri.
According to the researcher, when he contacted Rapay to announce his findings, the company's employees were unable to replicate his steps to ascertain vulnerability.
After waiting for four months, Mejri published his findings.
Watch the video