The scary part is the vulnerability can allow even a 2-factor authentication bypass.
Moral of the story: If the building has problems in the foundation then, no matter what you add, you can still have issues.
From the article:
he researcher says the applications are plagued by a vulnerability that can be exploited to access such accounts through repeated login attempts that leverage valid session cookies
The bug bounty hunter says the method can be used to bypass not only the identity verification mechanism, but also the 2FA system
The issue was reported to PayPal in April, but it remains unfixed. According to Vulnerability Lab, the company confirmed the existence of the flaw, but downplayed its impact.
This is not the first time PayPal and Vulnerability Lab have argued over the impact of a mobile API flaw. In October 2014, the German security firm publicly disclosed a similar security bypass issue after PayPal refused to acknowledge its existence for more than a year. Ultimately, the payment processor confirmed the vulnerability, patched it, and promised to reward the researchers.
For more info:
No comments:
Post a Comment