PayPal, the online-payment provider, rushed in to make a quick update after it learned about a security flaw in the iPhone application. Recently unveiled at the Developer X Conference, the security flaw allowed a hacker to intercept users passwords using the application. A security researcher who pointed out the security hole, told that it would allow someone to access the accounts of unsuspecting users. The app fails to authenticate PayPal’s website when communicating over the internet. According to PayPal, eBay Inc. unit verified the vulnerability Tuesday night and sent a new version of the app to the Apple App Store.
While PayPal admitted the fault, the company further maintained that it would reimburse 100% of any fraudulent activity. No one has reported of any such activity as yet but still the company remains committed on reimbursing any dispute.
The flaw only affects users of iPhone connecting over an unsecured Wi-Fi network whereas Android App or users of the PayPal.com website are not affected.
The hole found in the App fails to verify the digital certificate for the payment service’s website, which lets the hack step in electronic transaction and pretend to be the PayPal website, gaining username and password access. One thing the hacker needs to do, be on the same location or Wi-Fi spot where the transaction is to take place. What the hacker can do is setup a Wi-Fi hotspot and wait for someone to use the network for a PayPal transaction on their iPhone app.
According to PayPal, the iPhone app has been downloaded more than 4 Million times since it was release back in April.
via [Wallstreet Journal]