X

PayPal fixes security hole in iPhone app

PayPal iPhone app users need to download the update or risk a man-in-the-middle attack on their accounts over unsecured Wi-Fi networks.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read
 
PayPal

PayPal rushed a fix out today for its iPhone app after learning that it contained a flaw that could be used by attackers to trick PayPal users into divulging their account information.

The authentication vulnerability in PayPal's iPhone app could have allowed someone to conduct what is called a "man-in-the-middle" attack, PayPal spokesman Anuj Nayar told CNET. In such an attack, people who happen to be accessing their PayPal accounts over an unsecured Wi-Fi network could be tricked into thinking they are on the legitimate PayPal site when they aren't.

Only PayPal's iPhone app, which has been downloaded more than 4 million times, is affected; the Android app nor the company's Web site are affected, Nayar said. iPhone users will have to download the update from the iPhone app store to secure their phones.

"We don't believe any customers have been affected at all, and if there were any affected they would be 100 percent covered by PayPal," he said.

The Wall Street Journal reported on the matter today after being contacted by viaForensics, the mobile security firm that discovered the problem.

PayPal learned of the problem yesterday from the newspaper, according to Nayar. "As soon as we found out, we moved to push a fix to address this vulnerability," he said.

Nayar complained that viaForensics put users at risk by publicizing the information before giving PayPal a chance to fix it. "We work closely with the security community and...we ask them to report to us before going public," he said.

Update October 4 at 9:48 a.m. PT: Andrew Hoog, chief investigative officer at viaForensics, provided this statement late on Wednesday: "We adhere to an Ethical Disclosure policy, which is designed to protect the public. We make every effort to contact the vendor, either directly or through other parties. At that point, we provide the vendor with a full disclosure of the vulnerabilities and assist in the resolution. In some circumstances, we may discover an extremely serious flaw that places the public at great risk. A large factor in how we disclose this vulnerability depends on whether or not steps taken by the user could immediately eliminate the risk. We believe the general public has the right to understand security flaws that put them at risk for identity and financial theft. Weighing the above factors, we worked with The Wall Street Journal to contact PayPal. We provided them full disclosure details and helped them re-create the vulnerability. Since the man-in-the-middle attack is widely known and understood, it was a serious and a realistic risk."