PayPal Mobile Apps Plagued by Authentication Flaw: Benjamin Kunz
An unpatched vulnerability affecting PayPal’s mobile applications can be exploited to access restricted accounts and even bypass the two-factor authentication (2FA) mechanism, a researcher claims.
PayPal can ask users to confirm their identity for fraud protection and due to regulatory obligations. When users are asked to verify their identity, they are blocked from accessing their account and instructed to call or email PayPal to complete the process.
However, according to Benjamin Kunz Mejri, the founder and CEO of Vulnerability Lab, restricted accounts can still be accessed via the PayPal mobile apps for Android and iOS. The researcher says the applications are plagued by a vulnerability that can be exploited to access such accounts through repeated login attempts that leverage valid session cookies.