Vulnerability Management

PayPal addressing another two-factor authentication bypass

PayPal account security is at risk again.

Australian researcher Joshua Rogers has discovered a method for getting past PayPal's two-factor authentication, which is possible due to an issue in the way that PayPal accounts integrate with eBay accounts.

The exploit requires primary credentials, Rogers told in a Tuesday email correspondence, explaining that a successful bypass could enable an attacker to log on and do anything a regular user can do, including send money, as well as change settings such as the account password.

A PayPal spokesperson told in a Tuesday email correspondence that the company is aware of the issue, which is limited to a small amount of integrations with Adaptive Payments, and is working on getting it addressed as quickly as possible.

Rogers said PayPal told him something similar on June 5 when he notified the company of the bypass exploit, but apparently the problem was never fixed, so he decided to disclose the issue in a Monday post.

When setting up the integration feature from any eBay account, Rogers wrote, users are taken to a PayPal login page with a URL that contains “=_integrated-registration,” which a Google search shows is used solely for PayPal account and eBay account integration.

“Once you're actually logged in, a cookie is set with your details, and you're redirected to a page to confirm the details of the process,” Rogers wrote. “And this is where the exploit lays. Now just load, and you are logged in, and don't need to re-enter your login.”

Rogers added, “So, the actual bug itself is that the "=_integrated-registration" function does not check for a [two-factor authentication] code, despite logging you into PayPal.”

The reason it works is because PayPal assumes that by logging in through eBay, the account must belong to the same person, Rogers said, explaining that one reason for the problem might just be that developers forgot to update the code.  

“I consider it a significant vulnerability,” Rogers said, adding that implementing a fix should be simple. “If you think of [two-factor authentication] as a second password, it's like making the second password completely obsolete.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.