PayPal is exposing your password to autocorrect.
Today I discovered a security flaw in PayPal’s mobile website and Apple’s autocomplete on iOS. This bug also exists in many Android device keyboards. Many mobile websites show your password as you type it in, to help ensure you haven’t created a typo. I especially use this feature on my Android devices, which often are more difficult for me to type on. Amazon’s website (below) displays your password below the text box; your machine never actually types the password. Amazon’s solution is—as far as I can tell—secure.
Amazon’s “show password” option is more secure than PayPal’s, and doesn’t expose your password.
PayPal’s setup, shown at the top of this post, is vulnerable. PayPal’s “show” option causes the password field to turn into a normal text field. This allows you to see your password, but it also tells iOS to learn your typing habits. iOS doesn’t learn new words for autocomplete through passwords, so Apple never stores your passwords if entered in a normal password box. However, if you enter text in a normal text field, which PayPal uses to show you your password, Apple’s autocomplete can learn your password. Apple then can display your password as an autocomplete option later, even with just one letter entered. This can be used to log into your account, or perhaps just to write passwords in a text file, as I showed in the screenshots.
How Can You Protect Yourself?
If you can see the autocomplete bar, and your password isn’t showing up as black dots, do NOT enter your password.
So, while browsing the web, be on the lookout for this lazy implementation of the “show password” dialog box. If your iPhone shows the autocomplete bar above the keyboard, do not enter your password. If your password isn’t hidden by dots like so: •••••••••••••, do not enter your password.
Can PayPal or Apple Fix This?
This is not a serious security flaw unless you share your computer or device with someone. It’s also an easy one to fix. PayPal’s system is vulnerable, and any device you have synced with iCloud could display your password in plain text. An attacker (or, more likely, your child/significant other) would only need access to your iPhone, iPad, or Mac to gain access to your PayPal account. PayPal could easily update their mobile website to protect users against this form of “attack.” Apple could also update autocorrect to try to more accurately detect possible password text boxes, rather than relying on websites to properly create forms. Both Apple and PayPal need to update their features to protect consumers. For now, you’ll just have to protect yourself by never typing your password in an exposed text box.