PayPal’s two-factor authentication can be bypassed easily, researcher says via full disclosure

By  | 

PayPal’s two-factor authentication can easily be defeated and account accessed without requiring an elaborate set of steps, a security researcher has claimed while publicly disclosing the vulnerability as PayPal has failed to resolve the issue for two months now.

PayPal’s two-factor authentication is an extra layer that provides additional security and prevents compromise of user accounts even if someone gets hold of their usernames and passwords. However, the latest security loop-hole in PayPal lets malicious users access accounts of those users who have setup two-factor authentication on their accounts.

Joshua Rogers, an Australian security researcher, discovered the vulnerability on June 5 and reported it to PayPal the same day. However, according to Rogers, PayPal hasn’t patched the vulnerability even after two months and he is disclosing the loop-hole publicly “due to the simplicity of it” and because he believes he gave “Paypal long enough to fix it.”

The vulnerability is present in how eBay allows its users to link their accounts with PayPal. Rogers notes that linking eBay and PayPal accounts creates a cookie that makes the latter believe that the person is logged in.

“When you are redirected to the login page(above), the URL contains “=_integrated-registration”. Doing a quick Google search for this shows that it isn’t used for anything other than eBay; thus it is setup purely for Paypal&eBay”, notes Rogers in his blog post.

“Once you’re actually logged in, a cookie is set with your details, and you’re redirected to a page to confirm the details of the process. And this is where the exploit lies. Now just load http://www.paypal.com/ , and you are logged in, and don’t need to re-enter your login.”

Rogers notes that the “=_integrated-registration” doesn’t check for the two=factor authentication code and logs the user into PayPal directly even if 2FA is enabled.

A public disclosure of this sorts means that Rogers will not be eligible for PayPal’s bug bounty, which could have earned him somewhere around $2500-$3000.