App of the online payment service PayPal has a big hole on both the iPhone and Android phones. It is not the only betalingsapp with a leak.
PayPal has already made an update to his app, and submitted to the respective app stores. Users who have new, safe version can download, sign up to the Wall Street Journal. To the extent that PayPal knows, the hole is not abused. It promises 100 percent reimbursement fraud.
Phishing
The leak is a basic error: the betalingsapp not verify the certificate from the PayPal server is valid. This enables users to be redirected to a spoof, to secure their login information for PayPal booty. "This is really a huge mistake by PayPal," said lead researcher Andrew High of viaForensics, the company that this leak has discovered.
The Wall Street Journal reports that it is possible for payments to listen and thus to intercept user names and passwords. According to PayPal can only under rare circumstances, through an unsecured WiFi network where an attacker, therefore it just must be connected. The possibility of phishing spoof sites through communication, however, undermines this lulling.
Password
Furthermore, abuse of this vulnerability, possible on the iPhone. Android Smartphones are not vulnerable. Yet PayPal has its app for mobile operating system that is also updated. It is unknown what the status of the PayPal app for Blackberry.
On the website is to find no mention of the new version and the need for updating. PayPal is praised as the security of its mobile apps with the message that "any payment is confirmed by a password.
The iPhone app PayPal according to the company about 4 million times since that app was released in April this year. The updated version (3.0.1) is already available in the iTunes App Store. The online payment service expects mobile payments this year totaling some 700 million U.S. dollars amounts.
More Apps leak
Meanwhile prove more apps for mobile payment to contain leaks. viaForensics has several apps reviewed and gaps in discovery. These mobile payment applications of the large U.S. banks: Bank of America, USAA, Chase, Wells Fargo, TD Ameritrade and Vanguard. Several of these institutes have been update for their apps.
viaForensics has informed the banks before it went public with his discoveries. "Since Monday (November 1, 2010), we communicate and work together with financial institutions to eliminate these errors," the company said in a blog post yesterday. "The discoveries that we have published, the impact of testing we on November 3 or so. " The company, the new versions of the apps are also screening.
-