viaForensics' new appWatchdog service has found vulnerabilities in PayPal's mobile payment application for the iPhone that could allow a hacker to intercept users' passwords.
According to the Wall Street Journal, the hole stems from the app's failure to confirm the authenticity of PayPal's website when communicating over the Internet, a basic lapse that the security researcher who found the flaw said would allow someone to access the accounts of unsuspecting users.
"PayPal spokeswoman Amanda Pires said the eBay Inc. unit verified the vulnerability Tuesday night and sent a new version of the app to Apple Inc.'s App Store that users will have to download," the article stated. "PayPal also said it would reimburse 100% of any fraudulent activity."
The vulnerability only affects iPhone users connecting over unsecured Wi-Fi networks, according to PayPal. A hacker could set up a Wi-Fi hotspot in a location, such as a train station, and wait for someone to use the network for a PayPal transaction on their iPhone app. PayPal said its iPhone app has been downloaded more than four million times since it was released in April. In October, the company said it expects more than $700 million in mobile payments to go through its system by the end of this year.
This security oversight follows on the heels of PayPal's service outage last Friday, which prevented merchants from processing PayPal payments for several hours. According to a blog written by Scott Guilfoyle, PayPal's CTO, the outage was the result of a network hardware failure in one of PayPal's data centers. "We were not able to switch over to our back up systems as quickly as planned," he writes.