Patch/Configuration Management, Vulnerability Management

PayPal patches flaw that allowed 2FA bypass… again

PayPal released a patch for a vulnerability that a security researcher said allowed him to bypass the payments company's two-factor authentication in less than five minutes.

Henry Hoggart, a mobile security consultant at MWR InfoSecurity, wrote in a blog post that he recently needed to make a payment from a hotel, but was unable to receive the 2FA code on his mobile phone because had no service. So he simply used a proxy then replaced “securityQuestion0” with “securityQuestion1” in the post data sent by his browser. PayPal reported the issue as fixed last week, according to the blog post.

The update is the second patch addressing a two-factor authentication vulnerability that PayPal released in the past three months. In July, PayPal patched a missing verification mechanism affecting its UK login portal and preview portal, according to security researcher Shawar Khan's disclosure.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.