Online payment giant PayPal has rushed to fix a security flaw in its iPhone app overnight, with a Chicago security firm first identifying the flaw which could potentially allow hackers to trick users into giving away their private details.
PayPal has said the flaw has now been addressed and an updated version of the app has been uploaded onto the App Store.
But the vulnerability comes as PayPal is attempting to emphasise its mobile strategies more and more, with the company introducing new apps and features for people wanting to make payments on the move.
Security firm ViaForensics first identified the flaw as part of its appWatchdog service, which tests public mobile applications for security vulnerabilities. According to the company, the service measures how apps handle sensitive user data including names and passwords.
Ander Hoog, who is the chief investigative officer at ViaForensics, told the Wall Street Journal the firm identified the flaw as part of a sweep of a number of apps.
“This is a colossal oversight on PayPal,” Hoog said, adding that the firm has also found a number of different vulnerabilities in these other applications.
The vulnerability itself was found in a failure of the application to verify what is called a “digital certificate”. Because this is overlooked, Hoog says hackers would be able to construct a fake PayPal website and then fool users into thinking they were on the real site.
But another flaw also found the PayPal app doesn’t actually encrypt data when it is stored, meaning hackers who access the device could potentially grab account details, balances and other crucial details.
And while Hoog says these vulnerabilities would only be able to be exploited by fairly sophisticated users, and they would have to be accessing the same, insecure wireless network in order to do so, he warns users won’t tolerate anything less than absolute certainty their data is safe.
“We’re really in the infancy of mobile security. But users are demanding that financial
applications have a high level of trustworthiness and that applications protect their data,” Hoog said.
PayPal issued a statement to the WSJ, with a spokesperson saying that “To my knowledge it has not affected anybody. We’ve never had an issue with our app until now”.