Connect with us

Hi, what are you looking for?



PayPal Confirms New Two-factor Authentication Bypass Issue

Researchers have identified a new method that can be used to bypass the two-factor authentication (2FA) mechanism that is supposed to give PayPal customers an extra layer of protection for their accounts.

Researchers have identified a new method that can be used to bypass the two-factor authentication (2FA) mechanism that is supposed to give PayPal customers an extra layer of protection for their accounts.

PayPal’s 2FA system, called “Security Key,” is designed to ensure that accounts can’t be accessed even if login credentials fall into the wrong hands. Such features can be very useful especially since usernames and passwords, which people often use on multiple websites, are regularly obtained by hackers after breaching the databases of various online services.

Researchers at Escalate Internet have found that PayPal’s 2FA mechanism can be easily bypassed through Adaptive Payments, a system that enables merchants and developers to manage payments in both simple and complex scenarios.

Companies that use Adaptive Payments require users to connect their PayPal accounts to an application. During this process, customers are redirected to to authenticate the connection by entering their login information. Once this is done, the user is directly logged in to PayPal without being prompted to enter the 2FA code.

“While on the surface this doesn’t appear to be a huge security threat because you aren’t necessarily sending money to anyone, you’re simply connecting to an application within their Adaptive Payments sytem. However, after logging in with just your email address and password on this page, you are fully authenticated. This means you can simply go to and be automatically logged into your account – with the two-step authentication being 100% bypassed!” Escalate Internet wrote in a blog post.

Contacted by SecurityWeek, PayPal says it’s aware of the issue and is working on fixing it.

“We are aware of a two-factor authentication (2FA) issue that is limited to a small amount of integrations with Adaptive Payments. 2FA is an extra layer of security some customers have chosen to add to their PayPal accounts. We are working to get the issue addressed as quickly as possible. It is important to clarify that 2FA provides extra assurance to keep accounts secure, however usernames and passwords are still required to gain access to all PayPal accounts,” a PayPal spokesperson said in an emailed statement.

“Customers who do not use the PayPal security key (physical card or SMS codes) as an additional step to log into their accounts are not impacted in any way. If you have chosen to add 2FA to your PayPal account, your account will continue to operate as usual on the vast majority of PayPal product experiences,” PayPal added. “We have extensive fraud and risk detection models and dedicated security teams who work to help keep our customers’ accounts secure from fraudulent transactions, everyday. We apologize for any inconvenience caused to affected customers who use our 2FA process and we will continue to work hard to address this issue.”

Advertisement. Scroll to continue reading.

A similar method that can currently be used to circumvent PayPal’s 2FA feature has been described by Australian researcher Joshua Rogers. He has found that the protection mechanism can be bypassed by linking an eBay account to a PayPal account. This is a feature that enables eBay users to save time when they sell or buy items.

During the setup process, customers are taken to a PayPal page where they’re asked to log in to their accounts. Once this is done, users can visit and they’re logged in, without having to enter the 2FA code, even if they have the extra layer of protection enabled.

According to Rogers, who reported his findings two months ago, this works even without an eBay account. Users can directly visit the PayPal page for linking accounts and the bypass is successful.

In June, Duo Security demonstrated  how to get past PayPal’s Security Key through the iOS and Android applications provided by the payment processor. At the time, the company promised to roll out a permanent fix for the issue by July 28.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.