Last Week Ebrahim Hegazy Published the Stored XSS Vulnerability in paypal which could steal credit card information,Followed by another XSS vulnerability discovered by BitDefender team which allow attacker to run various attack on paypal user.Now Security experts,Vulnerability Lab Found a flaw that bypass the restriction filter using the paypal mobile application.
In some cases,paypal ask user to confirm the identity to avoid fraud.When paypal ask user to confirm the identity,user account is temporay block until user confirm their identity. Paypal ask user to Make a call Or Send email to verify there identity.
Mejri explained that it's very simple to gain access to block paypal account using the paypal mobile application.User just have to make repeated login attempt to obtain access to block paypal account.
As per Vulnerability team researchers,Flaw is in the mobile application API later to the identity check.When a user login to block account then pop-up form appear on the smartphone screen for identity verification.By processing the form request multiple times provide the access to Paypal account.This could be used to bypass the Two-Factor-Authentication process including the E-mail and password.
In April Mejri has reported the flaw to PayPal,but paypal doesn't consider the flaw as critical and it still affect the application
In some cases,paypal ask user to confirm the identity to avoid fraud.When paypal ask user to confirm the identity,user account is temporay block until user confirm their identity. Paypal ask user to Make a call Or Send email to verify there identity.
Proof-Of-Concept
As per Benjamin Kunz Mejri, even if the PayPal account is blocked it can be accessed using the PayPal mobile apps.“The Vulnerability Laboratory Team discovered a restriction filter bypass in PayPal Mobile API for states the advisory published by the Vulnerability Lab.
Mejri explained that it's very simple to gain access to block paypal account using the paypal mobile application.User just have to make repeated login attempt to obtain access to block paypal account.
As per Vulnerability team researchers,Flaw is in the mobile application API later to the identity check.When a user login to block account then pop-up form appear on the smartphone screen for identity verification.By processing the form request multiple times provide the access to Paypal account.This could be used to bypass the Two-Factor-Authentication process including the E-mail and password.
In April Mejri has reported the flaw to PayPal,but paypal doesn't consider the flaw as critical and it still affect the application