PayPal addresses two-factor authentication bypass

Share this article:
PayPal phishing websites spike in 2014, easy vector for attackers
Two-factor authentication can be bypassed on some of PayPal's mobile applications.

Due to a vulnerability existing in some of PayPal's mobile applications, all someone needs to access an account with two-factor authentication enabled is a set of legitimate primary credentials, according to researchers with Duo Security.

As a precaution, the online payment company is no longer allowing users to log into their accounts on the PayPal mobile app, or certain other mobile apps, if two-factor authentication is enabled, Anuj Nayar, senior director of global initiatives with PayPal, explained in a Wednesday post.

“Late yesterday, PayPal stopped returning the “access token” used for api.paypal.com – further limiting access, and no longer allowing for retrieval of the account's “wallet” data,” Zach Lanier, senior researcher at Duo Security, told SCMagazine.com on Tuesday.

While the issue has almost entirely been mitigated, just a day prior Duo Security was able to reproduce the exploit on devices running iOS and Android, Lanier said.

“Through reverse engineering and the proxying of traffic, we were able to write a proof-of-concept that, with just regular credentials, was enough to bypass two-factor authentication, access accounts, and send money,” Lanier said. “Ultimately, that flaw weakened the two-factor authentication, and [made it] kind of moot.”

In a video included in a Wednesday Duo Security post, Lanier demonstrated the exploit on an iPad using his own PayPal account, which has two-factor authentication enabled.

First he logged into the official PayPal iOS app. In a couple of seconds, he was kicked off after a notification popped up explaining that the app does not yet support a security key, but not before being shown a quick glimpse of his own account – proof that he was logged in, at least for a moment, Lanier said.

Lanier then logged into the iOS app again, but activated Airplane Mode from the control center as soon as he got that quick glimpse of his account. After a notification alerted him that the server could not be reached, Lanier deactivated Airplane Mode and gained unfettered access to the PayPal account – enabling him to transfer funds.

“This [did] not affect PayPal.com,” Lanier said, adding a long-term fix is planned for July 28. “The stuff they are authenticating there is behind web infrastructure and it's fully enforced. This is specific to this API used by mobile applications.”

Dan Saltman, co-founder of Everyday-Carry.com, originally reported the issue to PayPal on March 28 via the bug bounty program, Lanier said, adding that Saltman came to Duo Security on April 22 after not hearing back from PayPal.

“The vulnerability lies primarily in the authentication flow for PayPal's API web services,” Lanier wrote in the post. “In particular, api.paypal.com, a REST-ful API [that] uses OAuth for authentication [and] authorization, does not directly enforce two-factor authentication requirements server-side when authenticating a user.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

FilmOn accuses DoubleVerify of distributing malware

In readying a libel suit against DoubleVerify, FilmOn says it discovered that the firm deliberately distributed malware.

Schumer: Feds should do 'top to bottom' probe of online drug marketplaces

Sen. Charles Schumer of New York has called on federal law enforcement officials to stop "copy cat websites."

ShellShock vulnerability exploited in SMTP servers

Researchers at Trend Micro found that attackers were targeting Simple Mail Transfer Protocol (SMTP) servers to execute malicious code and an IRC bot.