PayPal rushed a fix out today for its iPhone app after learning that it contained a flaw that could be used by attackers to trick PayPal users into divulging their account information.
The authentication vulnerability in PayPal’s iPhone app could have allowed someone to conduct what is called a “man-in-the-middle” attack, PayPal spokesman Anuj Nayar told CNET. In such an attack, people who happen to be accessing their PayPal accounts over an unsecured Wi-Fi network could be tricked into thinking they are on the legitimate PayPal site when they aren’t.
Only PayPal’s iPhone app, which has been downloaded more than 4 million times, is affected; the Android app nor the company’s Web site are affected, Nayar said. iPhone users will have to download the update from the iPhone app store to secure their phones.
“We don’t believe any customers have been affected at all, and if there were any affected they would be 100 percent covered by PayPal,” he said.
PayPal learned of the problem yesterday from the newspaper, according to Nayar. “As soon as we found out, we moved to push a fix to address this vulnerability,” he said.
Nayar complained that viaForensics put users at risk by publicizing the information before giving PayPal a chance to fix it. “We work closely with the security community and…we ask them to report to us before going public,” he said.