PayPal rushed a fix out today for its iPhone app after learning that it contained a flaw that could be used by attackers to trick PayPal users into divulging their account information.
The authentication vulnerability in PayPal's iPhone app could have allowed someone to conduct what is called a "man-in-the-middle" attack, PayPal spokesman Anuj Nayar told CNET. In such an attack, people who happen to be accessing their PayPal accounts over an unsecured Wi-Fi network could be tricked into thinking they are on the legitimate PayPal site when they aren't.
Only PayPal's iPhone app, which has been downloaded more than 4 million times, is affected; the Android app nor the company's Web site are affected, Nayar said. iPhone users will have to download the update from the iPhone app store to secure their phones.
"We don't believe any customers have been affected at all, and if there were any affected they would be 100 percent covered by PayPal," he said.
PayPal learned of the problem yesterday from the newspaper, according to Nayar. "As soon as we found out, we moved to push a fix to address this vulnerability," he said.
Nayar complained that viaForensics put users at risk by publicizing the information before giving PayPal a chance to fix it. "We work closely with the security community and...we ask them to report to us before going public," he said.
Update October 4 at 9:48 a.m. PT: Andrew Hoog, chief investigative officer at viaForensics, provided this statement late on Wednesday: "We adhere to an Ethical Disclosure policy, which is designed to protect the public. We make every effort to contact the vendor, either directly or through other parties. At that point, we provide the vendor with a full disclosure of the vulnerabilities and assist in the resolution. In some circumstances, we may discover an extremely serious flaw that places the public at great risk. A large factor in how we disclose this vulnerability depends on whether or not steps taken by the user could immediately eliminate the risk. We believe the general public has the right to understand security flaws that put them at risk for identity and financial theft. Weighing the above factors, we worked with The Wall Street Journal to contact PayPal. We provided them full disclosure details and helped them re-create the vulnerability. Since the man-in-the-middle attack is widely known and understood, it was a serious and a realistic risk."