PayPal addresses two-factor authentication bypass

Share this article:
PayPal phishing websites spike in 2014, easy vector for attackers
Two-factor authentication can be bypassed on some of PayPal's mobile applications.

Due to a vulnerability existing in some of PayPal's mobile applications, all someone needs to access an account with two-factor authentication enabled is a set of legitimate primary credentials, according to researchers with Duo Security.

As a precaution, the online payment company is no longer allowing users to log into their accounts on the PayPal mobile app, or certain other mobile apps, if two-factor authentication is enabled, Anuj Nayar, senior director of global initiatives with PayPal, explained in a Wednesday post.

“Late yesterday, PayPal stopped returning the “access token” used for api.paypal.com – further limiting access, and no longer allowing for retrieval of the account's “wallet” data,” Zach Lanier, senior researcher at Duo Security, told SCMagazine.com on Tuesday.

While the issue has almost entirely been mitigated, just a day prior Duo Security was able to reproduce the exploit on devices running iOS and Android, Lanier said.

“Through reverse engineering and the proxying of traffic, we were able to write a proof-of-concept that, with just regular credentials, was enough to bypass two-factor authentication, access accounts, and send money,” Lanier said. “Ultimately, that flaw weakened the two-factor authentication, and [made it] kind of moot.”

In a video included in a Wednesday Duo Security post, Lanier demonstrated the exploit on an iPad using his own PayPal account, which has two-factor authentication enabled.

First he logged into the official PayPal iOS app. In a couple of seconds, he was kicked off after a notification popped up explaining that the app does not yet support a security key, but not before being shown a quick glimpse of his own account – proof that he was logged in, at least for a moment, Lanier said.

Lanier then logged into the iOS app again, but activated Airplane Mode from the control center as soon as he got that quick glimpse of his account. After a notification alerted him that the server could not be reached, Lanier deactivated Airplane Mode and gained unfettered access to the PayPal account – enabling him to transfer funds.

“This [did] not affect PayPal.com,” Lanier said, adding a long-term fix is planned for July 28. “The stuff they are authenticating there is behind web infrastructure and it's fully enforced. This is specific to this API used by mobile applications.”

Dan Saltman, co-founder of Everyday-Carry.com, originally reported the issue to PayPal on March 28 via the bug bounty program, Lanier said, adding that Saltman came to Duo Security on April 22 after not hearing back from PayPal.

“The vulnerability lies primarily in the authentication flow for PayPal's API web services,” Lanier wrote in the post. “In particular, api.paypal.com, a REST-ful API [that] uses OAuth for authentication [and] authorization, does not directly enforce two-factor authentication requirements server-side when authenticating a user.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

TorrentLocker developers patch error

Victims had been able to restore encrypted files without paying a ransom.

Home Depot: breach risks 56M payment cards, 'unique' malware used

Home Depot confirmed that approximately 56 million payment cards may have been compromised as result of a malware attack.

Gartner: 75 percent of mobile apps will fail security tests through end of 2015

Gartner: 75 percent of mobile apps will fail ...

As BYOD and mobile computing become more critical to business, app downloads will raise security risks.