Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

PayPal Two-Factor Authentication Bypassed

Security researchers have found a way to bypass the two-factor authentication (2FA) mechanism used by PayPal to enhance the security of customers’ accounts.

Security researchers have found a way to bypass the two-factor authentication (2FA) mechanism used by PayPal to enhance the security of customers’ accounts.

The vulnerability was first discovered by Dan Saltman from EverydayCarry who reported it to PayPal through the company’s bug bounty program on March 29. Because Saltman didn’t receive a response from PayPal, he reached out to 2FA solutions provider Duo Security which developed a proof-of-concept exploit script that was sent to the payment processor.

The researchers found that the 2FA mechanism in the PayPal apps for iOS and Android could be easily bypassed. The mobile applications were designed to display an error message when users logged in to 2FA-enabled accounts because the security feature is not supported. However, experts noticed that they could manipulate the response from the server to make it look like the targeted account doesn’t have 2FA enabled.

“The vulnerability lies primarily in the authentication flow for the PayPal API web service (api.paypal.com) — an API used by PayPal’s official mobile applications, as well as numerous third-party merchants and apps — but also partially in the official mobile apps themselves,” Zach Lanier, a senior security researcher with Duo Security, explained in a blog post.

While the vulnerability impacts the mobile apps, experts have developed a script that uses the underlying API to access PayPal accounts and transfer money from them even from any type of computer.

On Tuesday, PayPal informed Duo Security that it had implemented a workaround to limit the impact of the vulnerability; the company promised to roll out a permanent fix on July 28.

“While two-factor authentication, when done right, provides great value for protecting users and businesses, design and implementation flaws such as this bypass can negate that value. Users may be lulled into a false sense of security, unaware that a security feature isn’t truly living up to its promise,” Lanier explained. “With the sheer number of primary credentials being compromised and dumped onto the Internet, strengthening account security with a well-designed two-factor authentication solution is paramount.”

Advertisement. Scroll to continue reading.

Duo Security published a proof-of-concept video and additional technical details on its blog.

*Updated date of permanent fix to July 28.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.