Members Login
    Remember Me  
Post Info TOPIC: PayPal Fixes iPhone App Security Flaw

Top Poster

Status: Offline
Posts: 3757
PayPal Fixes iPhone App Security Flaw

PayPal Fixes iPhone App Security Flaw

Internet payment provider PayPal this week raced out a fix for a
security vulnerability in its iPhone application that could have
potentially tricked users logging in through an unsecured Wi-Fi
connection into sharing their passwords and account information.

PayPal officials were not immediately available to comment on the security risk, but according to a Wall Street Journal report,
the eBay (NASDAQ: EBAY) unit rushed out a secure version of the app to
Apple's (NASDAQ: AAPL) App Store for users to download. It also said it
would reimburse any users who lost funds as a result of the breach.

At this point, it's unknown if or how many PayPal users were affected by the security flaw.

A company spokesperson told the Journal that the
vulnerability would only have compromised users running the iPhone
version of the app. Thus far, the flaw has not impacted users accessing
the payment processing function through the Android mobile app or via
the PayPal website.

Read the rest


Exposing the sleazery of ebaY and PayPal


Top Poster

Status: Offline
Posts: 3757

Looks like there may be more to this yet

5th Nov 10

Paypal leaves iPhone users open to phishing scams

by Paul Russell

Paypal, the online payments system, has been exposed over a problem with its Apple application. Those using their iPhones with Paypals IOS application could find themselves unwittingly sending information, such as account details, to an unauthorised third party, according to recent reports. The problem is to do with the fact that when the application connects with a server it does not check that servers digital certificate.

A digital certificate is a technique which is widely used to make sure that internet users are not sending data or information to websites they do not intend to. The fact that Paypal is failing to check digital certificates is leaving users open to attack by phishing websites.

Customers using Ebay are particularly at risk because they have to use Paypal as a method of sending and receiving payments. A spokeswoman for Paypal said the company, up until now, had not had any issues with its payment application, and was not aware of anybody having any problems.

The money transfer system also has an application for the Android operating system, but the company claims it is only having the digital certificate checking problem with the IOS application.

The company was keen to point out that anyone using its payment system who encounters a problem will be fully reimbursed. However, this does not discount the fact that Paypal has been worryingly negligent over its software design as well as taking care of its customers. Fixing the problem should be relatively easy, but this again begs the question: why is there a problem to begin with?



For people who haven't been following along closely, ebay and paypal, in conjunction with smartphones, cell phones etc have been having their share of troubles with security. SSL is beyond cracked and shredded.



Exposing the sleazery of ebaY and PayPal


Top Poster

Status: Offline
Posts: 3757

Yes, more to it.

Twitter and Facebook hacker defends Firesheep

People need to know how baad their security really is.

05 Nov 2010 07:13 | by Nick Farrell in Rome

The hacker who created the Firesheep tool which showed Twitter and Facebook users how insecure they were has defended its release to the great unwashed.

Eric Butler, a freelance web application and software developer based in Seattle, developed the Firesheep tool as an add-on for the Firefox web browser and it allows even idiots to break into the online accounts of people using unsecured Wi-Fi.

Writing in his bog [sic] Butler said that some had questioned the legality of the tool.

However, he said that it was "nobody's business telling you what software you can or cannot run on your own computer... like any tool, Firesheep can be used for many things."

(more ^)

The paypal relevant part:
Hit by the hack was PayPal's own mobile payments iPhone app which has since been patched in a software update.

Just a little advice. If anyone tries to download this be sure to only get it from the 'official' source and check those hash values etc.


Exposing the sleazery of ebaY and PayPal


Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Tweet this page Post to Digg Post to

Create your own FREE Forum
Report Abuse
Powered by ActiveBoard