Hole in iPhone PayPal app allows account hijacking
PayPal customers that use the payment company’s iPhone application to effectuate payments should update it as soon as possible, because a vulnerability that can be exploited to hijack their accounts has been found by a security researcher and confirmed by PayPal.
The flaw doesn’t affect the PayPal site or the company’s Android application, but the 4+ million people who downloaded the iPhone application so far are in danger of getting their passwords intercepted by a hacker if they connect over unsecured Wi-Fi networks.
Essentially, the flaw makes the application fail to verify the digital certificate of the PayPal.com website and could allow a criminal to “stand” between the user and the site and simply intercept his username and password. Of course, the hacker must be in the same physical location as the user, trick him to connect to a Wi-Fi hotspot that he (the hacker) set up, and wait for him to use the application.
According to The Wall Street Journal, PayPal spokeswoman Amanda Pires said that they haven’t yet heard of an instance where this hole was successfully exploited, but also that the company will reimburse every last cent if it happens to anyone.
That is good news, but it’s better if you update your PayPal application now and skip any unpleasant surprises, since the patched version has already been made available.