Security researchers have found a way to bypass the two-factor authentication (2FA) mechanism used by PayPal to enhance the security of customers' accounts.
The vulnerability was first discovered by Dan Saltman from EverydayCarry who reported it to PayPal through the company's bug bounty program on March 29. Because Saltman didn't receive a response from PayPal, he reached out to 2FA solutions provider Duo Security which developed a proof-of-concept exploit script that was sent to the payment processor.
The researchers found that the 2FA mechanism in the PayPal apps for iOS and Android could be easily bypassed. The mobile applications were designed to display an error message when users logged in to 2FA-enabled accounts because the security feature is not supported. However, experts noticed that they could manipulate the response from the server to make it look like the targeted account doesn't have 2FA enabled.
"The vulnerability lies primarily in the authentication flow for the PayPal API web service (api.paypal.com) — an API used by PayPal’s official mobile applications, as well as numerous third-party merchants and apps — but also partially in the official mobile apps themselves," Zach Lanier, a senior security researcher with Duo Security, explained in a blog post.
While the vulnerability impacts the mobile apps, experts have developed a script that uses the underlying API to access PayPal accounts and transfer money from them even from any type of computer.
On Tuesday, PayPal informed Duo Security that it had implemented a workaround to limit the impact of the vulnerability; the company promised to roll out a permanent fix on July 28.
"While two-factor authentication, when done right, provides great value for protecting users and businesses, design and implementation flaws such as this bypass can negate that value. Users may be lulled into a false sense of security, unaware that a security feature isn’t truly living up to its promise," Lanier explained. "With the sheer number of primary credentials being compromised and dumped onto the Internet, strengthening account security with a well-designed two-factor authentication solution is paramount."
Duo Security published a proof-of-concept video and additional technical details on its blog.
*Updated date of permanent fix to July 28.