PayPal 2FA flow partially mitigated, accounts are safe

In the wake of the revelation of a flaw that allows attackers to bypass PayPal’s two-factor authentication feature, the e-payment giant has made it temporarily impossible for users who enabled it to log into their PayPal account via the PayPal mobile app and on certain other mobile apps.

These customers will still be able to log in to their PayPal account on a mobile device by visiting the PayPal mobile web site,” noted PayPal Senior Director of Global Initiatives Anuj Nayar, and reassured all users that their accounts habe not been impacted by in any way.

“Even though 2FA is an additional layer of authentication, PayPal does not depend on 2FA to keep accounts secure,” he explained. “We have extensive fraud and risk detection models and dedicated security teams that work to help keep our customers’ accounts secure from fraudulent transactions, everyday.”

The company is still working on a permanent fix for the vulnerability.

“The vulnerability lies primarily in the authentication flow for the PayPal API web service ( — an API used by PayPal’s official mobile applications, as well as numerous third-party merchants and apps — but also partially in the official mobile apps themselves,” says Duo Security’s Zach Lanier, who is part of the team that analyzed the flaw, which was first discovered by Dan Saltman of

“We developed a proof-of-concept exploit to leverage this lack of 2FA enforcement, interfacing with the PayPal API directly and effectively mimicking the PayPal mobile app as though it were accessing a non-2FA account. The exploit communicates with two separate PayPal API services — one to authenticate (only with primary credentials), and another to transfer money to a destination account.”

For extensive technical details about the flaw and PayPal’s mitigation efforts implemented in the last few days, check out Lanier’s blog post.


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss