Security Experts:

PayPal Confirms New Two-factor Authentication Bypass Issue

Researchers have identified a new method that can be used to bypass the two-factor authentication (2FA) mechanism that is supposed to give PayPal customers an extra layer of protection for their accounts.

PayPal's 2FA system, called "Security Key," is designed to ensure that accounts can't be accessed even if login credentials fall into the wrong hands. Such features can be very useful especially since usernames and passwords, which people often use on multiple websites, are regularly obtained by hackers after breaching the databases of various online services.

Researchers at Escalate Internet have found that PayPal's 2FA mechanism can be easily bypassed through Adaptive Payments, a system that enables merchants and developers to manage payments in both simple and complex scenarios.

Companies that use Adaptive Payments require users to connect their PayPal accounts to an application. During this process, customers are redirected to PayPal.com to authenticate the connection by entering their login information. Once this is done, the user is directly logged in to PayPal without being prompted to enter the 2FA code.

"While on the surface this doesn't appear to be a huge security threat because you aren't necessarily sending money to anyone, you're simply connecting to an application within their Adaptive Payments sytem. However, after logging in with just your email address and password on this page, you are fully authenticated. This means you can simply go to PayPal.com and be automatically logged into your account - with the two-step authentication being 100% bypassed!" Escalate Internet wrote in a blog post.

Contacted by SecurityWeek, PayPal says it's aware of the issue and is working on fixing it.

"We are aware of a two-factor authentication (2FA) issue that is limited to a small amount of integrations with Adaptive Payments. 2FA is an extra layer of security some customers have chosen to add to their PayPal accounts. We are working to get the issue addressed as quickly as possible. It is important to clarify that 2FA provides extra assurance to keep accounts secure, however usernames and passwords are still required to gain access to all PayPal accounts," a PayPal spokesperson said in an emailed statement.

"Customers who do not use the PayPal security key (physical card or SMS codes) as an additional step to log into their accounts are not impacted in any way. If you have chosen to add 2FA to your PayPal account, your account will continue to operate as usual on the vast majority of PayPal product experiences," PayPal added. "We have extensive fraud and risk detection models and dedicated security teams who work to help keep our customers’ accounts secure from fraudulent transactions, everyday. We apologize for any inconvenience caused to affected customers who use our 2FA process and we will continue to work hard to address this issue."

A similar method that can currently be used to circumvent PayPal's 2FA feature has been described by Australian researcher Joshua Rogers. He has found that the protection mechanism can be bypassed by linking an eBay account to a PayPal account. This is a feature that enables eBay users to save time when they sell or buy items.

During the setup process, customers are taken to a PayPal page where they're asked to log in to their accounts. Once this is done, users can visit www.paypal.com and they're logged in, without having to enter the 2FA code, even if they have the extra layer of protection enabled.

According to Rogers, who reported his findings two months ago, this works even without an eBay account. Users can directly visit the PayPal page for linking accounts and the bypass is successful.

In June, Duo Security demonstrated  how to get past PayPal's Security Key through the iOS and Android applications provided by the payment processor. At the time, the company promised to roll out a permanent fix for the issue by July 28.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.