Security Experts:

Connect with us

Hi, what are you looking for?



PayPal Two-Factor Authentication Bypassed

Security researchers have found a way to bypass the two-factor authentication (2FA) mechanism used by PayPal to enhance the security of customers’ accounts.

Security researchers have found a way to bypass the two-factor authentication (2FA) mechanism used by PayPal to enhance the security of customers’ accounts.

The vulnerability was first discovered by Dan Saltman from EverydayCarry who reported it to PayPal through the company’s bug bounty program on March 29. Because Saltman didn’t receive a response from PayPal, he reached out to 2FA solutions provider Duo Security which developed a proof-of-concept exploit script that was sent to the payment processor.

The researchers found that the 2FA mechanism in the PayPal apps for iOS and Android could be easily bypassed. The mobile applications were designed to display an error message when users logged in to 2FA-enabled accounts because the security feature is not supported. However, experts noticed that they could manipulate the response from the server to make it look like the targeted account doesn’t have 2FA enabled.

“The vulnerability lies primarily in the authentication flow for the PayPal API web service ( — an API used by PayPal’s official mobile applications, as well as numerous third-party merchants and apps — but also partially in the official mobile apps themselves,” Zach Lanier, a senior security researcher with Duo Security, explained in a blog post.

While the vulnerability impacts the mobile apps, experts have developed a script that uses the underlying API to access PayPal accounts and transfer money from them even from any type of computer.

On Tuesday, PayPal informed Duo Security that it had implemented a workaround to limit the impact of the vulnerability; the company promised to roll out a permanent fix on July 28.

“While two-factor authentication, when done right, provides great value for protecting users and businesses, design and implementation flaws such as this bypass can negate that value. Users may be lulled into a false sense of security, unaware that a security feature isn’t truly living up to its promise,” Lanier explained. “With the sheer number of primary credentials being compromised and dumped onto the Internet, strengthening account security with a well-designed two-factor authentication solution is paramount.”

Duo Security published a proof-of-concept video and additional technical details on its blog.

*Updated date of permanent fix to July 28.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.