Angry Users are thinking twice about the "Safety" of online financial tyrant paypal, over a security flaw in its iPhone application that could allow a hacker to intercept users' passwords.
The hole stems from the app's failure to confirm the authenticity of PayPal's website when communicating over the internet -- a basic lapse that the security researcher who found the flaw said would allow someone to access the accounts of unsuspecting users.
PayPal spokeswoman Amanda Pires said the eBay unit verified the vulnerability on Wednesday and sent a new version of the app to Apple's App Store that users will have to download. PayPal also said it would reimburse 100 per cent of any fraudulent activity.
"To my knowledge it has not affected anybody," Ms Pires said. "We've never had an issue with our app until now."
A hacker would need skill and luck to make use of the vulnerability, which only affects users of the iPhone app connecting over unsecured WiFi networks. It doesn't affect the company's Android app or users of the PayPal.com website.
The PayPal hole results from the app's failure to verify the digital certificate for the payment service's website. Such certificates function as electronic ID cards that let a user's device know a website is legitimate.
Without that confirmation, a hacker could electronically step between a user and PayPal, pretend to be the PayPal website and gather usernames and passwords. The hacker would need to be in the same physical location as the user or have gained access to the same WiFi network.
In practice, that could mean setting up a WiFi hotspot in a location, such as a train station, and waiting for someone to use the network for a PayPal transaction on their iPhone app. It would be a fishing expedition, but the equipment and software needed is commonly available.
The hole is embarrassing for an outfit selling secure services and a reminder that companies are having trouble getting a grip on security as they rush to exploit the capabilities of new, more powerful smartphones.
"This is a colossal oversight on PayPal," said Andrew Hoog, chief investigative officer of viaForensics, a Chicago computer and mobile security firm that found the flaw.
PayPal said its iPhone app has been downloaded more than four million times since it was released in April. In October, the company said it expects more than $US700 million in mobile payments to go through its system by the end of this year.
Carriers, credit card companies and banks are pushing mobile payments in hopes of building new lines of business around smartphones.