PayPal addressing another two-factor authentication bypass

Share this article:
PayPal addresses two-factor authentication bypass
PayPal said it is working on a fix to a two-factor authentication bypass exploit discovered by an Australian researcher.

PayPal account security is at risk again.

Australian researcher Joshua Rogers has discovered a method for getting past PayPal's two-factor authentication, which is possible due to an issue in the way that PayPal accounts integrate with eBay accounts.

The exploit requires primary credentials, Rogers told in a Tuesday email correspondence, explaining that a successful bypass could enable an attacker to log on and do anything a regular user can do, including send money, as well as change settings such as the account password.

A PayPal spokesperson told in a Tuesday email correspondence that the company is aware of the issue, which is limited to a small amount of integrations with Adaptive Payments, and is working on getting it addressed as quickly as possible.

Rogers said PayPal told him something similar on June 5 when he notified the company of the bypass exploit, but apparently the problem was never fixed, so he decided to disclose the issue in a Monday post.

When setting up the integration feature from any eBay account, Rogers wrote, users are taken to a PayPal login page with a URL that contains “=_integrated-registration,” which a Google search shows is used solely for PayPal account and eBay account integration.

“Once you're actually logged in, a cookie is set with your details, and you're redirected to a page to confirm the details of the process,” Rogers wrote. “And this is where the exploit lays. Now just load, and you are logged in, and don't need to re-enter your login.”

Rogers added, “So, the actual bug itself is that the "=_integrated-registration" function does not check for a [two-factor authentication] code, despite logging you into PayPal.”

The reason it works is because PayPal assumes that by logging in through eBay, the account must belong to the same person, Rogers said, explaining that one reason for the problem might just be that developers forgot to update the code.  

“I consider it a significant vulnerability,” Rogers said, adding that implementing a fix should be simple. “If you think of [two-factor authentication] as a second password, it's like making the second password completely obsolete.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.