The hackers at the Wall St. Journal have discovered a security hole in the iOS version of the Paypal app which allows a hacker sitting between your iOS device and Paypal servers (most likely at an Internet Cafe type setting) to spoof the Paypal security certs.  The PayPal app bewilderingly doesn’t check the validity of this certificate.

A hacker would need skill and luck to make use of the vulnerability, which only affects users of the iPhone app connecting over unsecured Wi-Fi networks. It doesn’t affect the company’s Android app or users of the PayPal.com website.

A pretty blatant oversight by a banking company, nonetheless.  Here’s how it goes down:

The PayPal hole results from the app’s failure to verify the digital certificate for the payment service’s website. Such certificates function as electronic ID cards that let a user’s device know a website is legitimate. Without that confirmation, a sophisticated hacker could electronically step between a user and PayPal, pretend to be the PayPal website and gather usernames and passwords. In practice, that could mean setting up a Wi-Fi hotspot in Times Square and waiting for someone to use the network for a PayPal transaction on their iPhone app. It would be a fishing expedition, but the equipment and software needed is commonly available.

FTC: We use income earning auto affiliate links. More.


Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Seth Weintraub's favorite gear