eBay’s PayPal online payment division is rushing a software patch to users of its iPhone mobile payments application to plug a hole that leaves users vulnerable to man-in-the-middle and phishing attacks, but the firm that found that hole said transaction security is just one problem facing the mobile payments application.
An audit by Chicago firm ViaForensics discovered serious security holes in the PayPal mobile payment application for Apple’s iPhone. Flaws that could allow attackers to set up a phony PayPal phishing site and snoop user credentials was the most critical, but the application also fell short in protecting user login and potentially sensitive application data, according to ViaForensics co-founder, Andrew Hoog.
PayPal did not immediately respond to a request for comment from Threatpost. In published reports, the company acknowledged the hole and said it had sent an update out Tuesday night. The company said it would reimburse customers for any fraudulent activity related to an attack on the iPhone application.
Hoog said the holes did not affect a similar version of the PayPal application for the Android platform. However, he said the work on the iPhone PayPal application was part of a larger canvas of mobile payment applications that found widespread application and implementation vulnerabilities.
“We found pervasive issues across many applications,” Hoog told Threatpost.com. “When we started, we didn’t know how deep we’d have to dig. The scary thing was that so much of the analysis we did was without looking hard.”
ViaForensics dislcosed the transaction security hole to PayPal on Monday, subsequent to contacting the Wall Street Journal regarding the issue. Hoog said that ViaForensics lacked high level security contacts at PayPal and other vendors. Reaching out to the media was a way to inform consumers about what the firm considered a serious and exploitable security hole, and to get the ear of senior product security managers at PayPal, which is owned by eBay.
The company’s analysis discovered that the iPhone version of PayPal’s mobile payments application fails to verify the site’s digital certificate, allowing a technically sophisticated user to set up a bogus PayPal Web site and trick users into authenticating to it. Attackers would need to trick users into connecting to an insecure wireless network to conduct the transaction first.
However, ViaForensics’ analysis went further. The company also discovered that user and application data for the PayPal application for iPhone are not encrypted when they are stored on the device. That could give someone who compromises the device access to the user’s Paypal username and potentially account details, such as account number, balances, and so on, Hoog said.
Other financial services and mobile payment applications contained similar flaws and what Hoog described as “cursory” efforts at securing data. That signals the need for far greater attention to security in an arena that is experiencing rapid growth, he said.
“We’re really in the infancy of mobile security. But users are demanding that financial
applications have a high level of trustworthiness and that applications protect their data,” he said.