The Wall Street Journal have discovered a security hole in the iOS version of the Paypal app which allows a hacker to intercept users’ passwords.
“The PayPal hole results from the app’s failure to verify the digital certificate for the payment service’s website. Such certificates function as electronic ID cards that let a user’s device know a website is legitimate.
Without that confirmation, a hacker could electronically step between a user and PayPal, pretend to be PayPal website and gather usernames and passwords. The hacker would need to be in the same physical location as the user or have gain access to same Wi-Fi network.
In practice, that could mean setting up a Wi-Fi hotspot in a location, such as a train station, and waiting for someone to use the network for a PayPal transaction on their iPhone app. It would be a fishing expedition, but the equipment and software needed is commonly available.”
PayPal spokeswoman Amanda Pires said the eBay Inc. unit verified the vulnerability Tuesday night and sent a new version of the app to Apple’s App Store that users will have to download. PayPal also said it would reimburse 100% of any fraudulent activity.