The Wall Street Journal reports on a security problem with online payment company PayPal’s iPhone application, which could reveal private financial data.
Internet-payment provider PayPal said it has rushed out an update to correct a security flaw in its iPhone application that could allow a hacker to intercept users’ passwords.
The hole stems from the app’s failure to confirm the authenticity of PayPal’s website when communicating over the Internet —a basic lapse that the security researcher who found the flaw said would allow someone to access the accounts of unsuspecting users.
PayPal spokeswoman Amanda Pires said the eBay Inc. unit verified the vulnerability Tuesday night and sent a new version of the app to Apple Inc.’s App Store that users will have to download. PayPal also said it would reimburse 100% of any fraudulent activity. […]
A hacker would need skill and luck to make use of the vulnerability, which only affects users of the iPhone app connecting over unsecured Wi-Fi networks. It doesn’t affect the company’s Android app or users of the PayPal.com website. […]
The hole is embarrassing for an outfit selling secure services and a reminder that companies are having trouble getting a grip on security as they rush to exploit the capabilities of new, more powerful smartphones.