Researchers recently discovered a smattering of vulnerabilities in web applications and mobile applications belonging to companies like Yahoo, PayPal, Magento, and Shopify that could have led to account theft, session hijacking, and phishing, among other consequences.
The researchers found three separate issues in web apps developed by PayPal, including a severe vulnerability that could have let an attacker bypass a verification check meant to approve the account owner. Mejri discovered that even if two factor authentication was enabled on the app, if a user attempted to login with the wrong credentials and got blocked, they could still get into their account. In a writeup on the vulnerability last week Mejri said that a user could access another user’s account via the mobile API simply by swapping out expired cookies for legitimate ones.
Full Article
