A two-factor authentication (2FA) vulnerability affecting PayPal’s login portal process has been patched. Security researcher Shawar Khan notified the online payment company of the high-severity flaw in May and he was awarded an undisclosed bug bounty in July.
The vulnerability affects the PayPal’s UK login portal and preview portal’s interaction with the API. According to a Vulnerability Labs’ security advisory, the Paypal preview login portal is missing a verification mechanism. “When logged in via PayPal UK login portal, it checks if the user account is already signed in from any other portal,” the advisory stated. PayPal issued 6.2 Common Vulnerability Scoring System rating.
A researcher disclosed a flaw in April that could have been exploited by an attacker to embed malicious code into the email headings sent via PayPal’s portal.
In December 2015, a researcher discovered a critical vulnerability in one of PayPal’s business websites that allowed remote code execution. The researcher, Michael “Artsploit” Stepankin, stated that he was able to exploit the flaw to gain access to production databases.