The hackers at the Wall St. Journal have discovered a security hole in the iOS version of the Paypal app which allows a hacker sitting between your iOS device and Paypal servers (most likely at an Internet Cafe type setting) to spoof the Paypal security certs.  The PayPal app bewilderingly doesn’t check the validity of this certificate.

A hacker would need skill and luck to make use of the vulnerability, which only affects users of the iPhone app connecting over unsecured Wi-Fi networks. It doesn’t affect the company’s Android app or users of the website.

A pretty blatant oversight by a banking company, nonetheless.  Here’s how it goes down:

The PayPal hole results from the app’s failure to verify the digital certificate for the payment service’s website. Such certificates function as electronic ID cards that let a user’s device know a website is legitimate. Without that confirmation, a sophisticated hacker could electronically step between a user and PayPal, pretend to be the PayPal website and gather usernames and passwords. In practice, that could mean setting up a Wi-Fi hotspot in Times Square and waiting for someone to use the network for a PayPal transaction on their iPhone app. It would be a fishing expedition, but the equipment and software needed is commonly available.

About the Author

Seth Weintraub's favorite gear