A mobile security consultant bypassed the two-factor authentication by replacing post data sent by his browser.
A mobile security consultant bypassed the two-factor authentication by replacing post data sent by his browser.

PayPal released a patch for a vulnerability that a security researcher said allowed him to bypass the payments company's two-factor authentication in less than five minutes.

Henry Hoggart, a mobile security consultant at MWR InfoSecurity, wrote in a blog post that he recently needed to make a payment from a hotel, but was unable to receive the 2FA code on his mobile phone because had no service. So he simply used a proxy then replaced “securityQuestion0” with “securityQuestion1” in the post data sent by his browser. PayPal reported the issue as fixed last week, according to the blog post.

The update is the second patch addressing a two-factor authentication vulnerability that PayPal released in the past three months. In July, PayPal patched a missing verification mechanism affecting its UK login portal and preview portal, according to security researcher Shawar Khan's disclosure.