CVE-2010-4211 Information
Description
The PayPal app before 3.0.1 for iOS does not verify that the server hostname matches the domain name of the subject of an X.509 certificate which allows man-in-the-middle attackers to spoof a PayPal web server via an arbitrary certificate.
Reference
http://itunes.apple.com/us/app/paypal/id283646709 http://news.cnet.com/8301-27080_3-20021730-245.html http://online.wsj.com/article/SB10001424052748703506904575592782874885808.html http://viaforensics.com/press-releases/viaforensics-uncovers-paypal-application-vulnerability.html http://viaforensics.com/security/viaforensics-uncovers-significant-vulnerability-paypal-iphone.html http://www.securityfocus.com/bid/44657 http://www.vupen.com/english/advisories/2010/2887 https://exchange.xforce.ibmcloud.com/vulnerabilities/63002
Share on: