Due to a vulnerability existing in some of PayPal's mobile applications, all someone needs to access an account with two-factor authentication enabled is a set of legitimate primary credentials, according to researchers with Duo Security.
As a precaution, the online payment company is no longer allowing users to log into their accounts on the PayPal mobile app, or certain other mobile apps, if two-factor authentication is enabled, Anuj Nayar, senior director of global initiatives with PayPal, explained in a Wednesday post.
“Late yesterday, PayPal stopped returning the “access token” used for api.paypal.com – further limiting access, and no longer allowing for retrieval of the account's “wallet” data,” Zach Lanier, senior researcher at Duo Security, told SCMagazine.com on Tuesday.
While the issue has almost entirely been mitigated, just a day prior Duo Security was able to reproduce the exploit on devices running iOS and Android, Lanier said.
“Through reverse engineering and the proxying of traffic, we were able to write a proof-of-concept that, with just regular credentials, was enough to bypass two-factor authentication, access accounts, and send money,” Lanier said. “Ultimately, that flaw weakened the two-factor authentication, and [made it] kind of moot.”
In a video included in a Wednesday Duo Security post, Lanier demonstrated the exploit on an iPad using his own PayPal account, which has two-factor authentication enabled.
First he logged into the official PayPal iOS app. In a couple of seconds, he was kicked off after a notification popped up explaining that the app does not yet support a security key, but not before being shown a quick glimpse of his own account – proof that he was logged in, at least for a moment, Lanier said.
Lanier then logged into the iOS app again, but activated Airplane Mode from the control center as soon as he got that quick glimpse of his account. After a notification alerted him that the server could not be reached, Lanier deactivated Airplane Mode and gained unfettered access to the PayPal account – enabling him to transfer funds.
“This [did] not affect PayPal.com,” Lanier said, adding a long-term fix is planned for July 28. “The stuff they are authenticating there is behind web infrastructure and it's fully enforced. This is specific to this API used by mobile applications.”
Dan Saltman, co-founder of Everyday-Carry.com, originally reported the issue to PayPal on March 28 via the bug bounty program, Lanier said, adding that Saltman came to Duo Security on April 22 after not hearing back from PayPal.
“The vulnerability lies primarily in the authentication flow for PayPal's API web services,” Lanier wrote in the post. “In particular, api.paypal.com, a REST-ful API [that] uses OAuth for authentication [and] authorization, does not directly enforce two-factor authentication requirements server-side when authenticating a user.”