PayPal addressing another two-factor authentication bypass

Share this article:
PayPal addresses two-factor authentication bypass
PayPal said it is working on a fix to a two-factor authentication bypass exploit discovered by an Australian researcher.

PayPal account security is at risk again.

Australian researcher Joshua Rogers has discovered a method for getting past PayPal's two-factor authentication, which is possible due to an issue in the way that PayPal accounts integrate with eBay accounts.

The exploit requires primary credentials, Rogers told SCMagazine.com in a Tuesday email correspondence, explaining that a successful bypass could enable an attacker to log on and do anything a regular user can do, including send money, as well as change settings such as the account password.

A PayPal spokesperson told SCMagazine.com in a Tuesday email correspondence that the company is aware of the issue, which is limited to a small amount of integrations with Adaptive Payments, and is working on getting it addressed as quickly as possible.

Rogers said PayPal told him something similar on June 5 when he notified the company of the bypass exploit, but apparently the problem was never fixed, so he decided to disclose the issue in a Monday post.

When setting up the integration feature from any eBay account, Rogers wrote, users are taken to a PayPal login page with a URL that contains “=_integrated-registration,” which a Google search shows is used solely for PayPal account and eBay account integration.

“Once you're actually logged in, a cookie is set with your details, and you're redirected to a page to confirm the details of the process,” Rogers wrote. “And this is where the exploit lays. Now just load http://www.paypal.com/, and you are logged in, and don't need to re-enter your login.”

Rogers added, “So, the actual bug itself is that the "=_integrated-registration" function does not check for a [two-factor authentication] code, despite logging you into PayPal.”

The reason it works is because PayPal assumes that by logging in through eBay, the account must belong to the same person, Rogers said, explaining that one reason for the problem might just be that developers forgot to update the code.  

“I consider it a significant vulnerability,” Rogers said, adding that implementing a fix should be simple. “If you think of [two-factor authentication] as a second password, it's like making the second password completely obsolete.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.