Internet-payment provider PayPal said it has rushed out an update to correct a security flaw in its iPhone application that could allow a hacker to intercept users’ passwords.
The hole stems from the app’s failure to confirm the authenticity of PayPal’s website when communicating over the Internet —a basic lapse that the security researcher who found the flaw said would allow someone to access the accounts of unsuspecting users.
PayPal spokeswoman Amanda Pires said the eBay Inc. unit verified the vulnerability Tuesday night and sent a new version of the app to Apple Inc.’s App Store that users will have to download. PayPal also said it would reimburse 100% of any fraudulent activity.
“To my knowledge it has not affected anybody,” Ms. Pires said. “We’ve never had an issue with our app until now.”
A hacker would need skill and luck to make use of the vulnerability, which only affects users of the iPhone app connecting over unsecured Wi-Fi networks. It doesn’t affect the company’s Android app or users of the PayPal.com website.
The PayPal hole results from the app’s failure to verify the digital certificate for the payment service’s website. Such certificates function as electronic ID cards that let a user’s device know a website is legitimate.
Without that confirmation, a hacker could electronically step between a user and PayPal, pretend to be the PayPal website and gather usernames and passwords. The hacker would need to be in the same physical location as the user or have gained access to the same Wi-Fi network.