Security Experts:

Connect with us

Hi, what are you looking for?



PayPal Confirms New Two-factor Authentication Bypass Issue

Researchers have identified a new method that can be used to bypass the two-factor authentication (2FA) mechanism that is supposed to give PayPal customers an extra layer of protection for their accounts.

Researchers have identified a new method that can be used to bypass the two-factor authentication (2FA) mechanism that is supposed to give PayPal customers an extra layer of protection for their accounts.

PayPal’s 2FA system, called “Security Key,” is designed to ensure that accounts can’t be accessed even if login credentials fall into the wrong hands. Such features can be very useful especially since usernames and passwords, which people often use on multiple websites, are regularly obtained by hackers after breaching the databases of various online services.

Researchers at Escalate Internet have found that PayPal’s 2FA mechanism can be easily bypassed through Adaptive Payments, a system that enables merchants and developers to manage payments in both simple and complex scenarios.

Companies that use Adaptive Payments require users to connect their PayPal accounts to an application. During this process, customers are redirected to to authenticate the connection by entering their login information. Once this is done, the user is directly logged in to PayPal without being prompted to enter the 2FA code.

“While on the surface this doesn’t appear to be a huge security threat because you aren’t necessarily sending money to anyone, you’re simply connecting to an application within their Adaptive Payments sytem. However, after logging in with just your email address and password on this page, you are fully authenticated. This means you can simply go to and be automatically logged into your account – with the two-step authentication being 100% bypassed!” Escalate Internet wrote in a blog post.

Contacted by SecurityWeek, PayPal says it’s aware of the issue and is working on fixing it.

“We are aware of a two-factor authentication (2FA) issue that is limited to a small amount of integrations with Adaptive Payments. 2FA is an extra layer of security some customers have chosen to add to their PayPal accounts. We are working to get the issue addressed as quickly as possible. It is important to clarify that 2FA provides extra assurance to keep accounts secure, however usernames and passwords are still required to gain access to all PayPal accounts,” a PayPal spokesperson said in an emailed statement.

“Customers who do not use the PayPal security key (physical card or SMS codes) as an additional step to log into their accounts are not impacted in any way. If you have chosen to add 2FA to your PayPal account, your account will continue to operate as usual on the vast majority of PayPal product experiences,” PayPal added. “We have extensive fraud and risk detection models and dedicated security teams who work to help keep our customers’ accounts secure from fraudulent transactions, everyday. We apologize for any inconvenience caused to affected customers who use our 2FA process and we will continue to work hard to address this issue.”

A similar method that can currently be used to circumvent PayPal’s 2FA feature has been described by Australian researcher Joshua Rogers. He has found that the protection mechanism can be bypassed by linking an eBay account to a PayPal account. This is a feature that enables eBay users to save time when they sell or buy items.

During the setup process, customers are taken to a PayPal page where they’re asked to log in to their accounts. Once this is done, users can visit and they’re logged in, without having to enter the 2FA code, even if they have the extra layer of protection enabled.

According to Rogers, who reported his findings two months ago, this works even without an eBay account. Users can directly visit the PayPal page for linking accounts and the bypass is successful.

In June, Duo Security demonstrated  how to get past PayPal’s Security Key through the iOS and Android applications provided by the payment processor. At the time, the company promised to roll out a permanent fix for the issue by July 28.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.