Joshua Rogers, a teenage whitehat based in Australia, has found an extremely simple way to bypass PayPal’s two-factor authentication feature.
Rogers first discovered the bypass vulnerability in early June, and has immediately reported it to PayPal. But, as two months have passed and the issue hasn’t been fixed, he decided to go public with the information.
The weakness in question exists in the process of linking an eBay account with the user’s PayPal account (PayPal is owned by eBay), and the only thing that an attacker must know to effect the bypass is the PayPal login credentials of the potential victim – something that isn’t that hard to achieve in this age of data theft and leaks.
Rogers published a video demonstrating the exploit:
“To make it clear: The Paypal account you were ‘hacking’ did NOT have to be affiliated with the eBay account you were using. In my original tests, I had made a new eBay account using a temporary email, and had gotten into my Paypal through the same method,” he additionally noted on Tuesday. “It works even without an eBay account, actually.”
“We are aware of a two-factor authentication (2FA) issue that is limited to a small amount of integrations with Adaptive Payments. 2FA is an extra layer of security some customers have chosen to add to their PayPal accounts. We are working to get the issue addressed as quickly as possible. It is important to clarify that 2FA provides extra assurance to keep accounts secure, however usernames and passwords are still required to gain access to all PayPal accounts,” a PayPal spokesperson commented the issue.
“Customers who do not use the PayPal security key (physical card or SMS codes) as an additional step to log into their accounts are not impacted in any way. If you have chosen to add 2FA to your PayPal account, your account will continue to operate as usual on the vast majority of PayPal product experiences. We have extensive fraud and risk detection models and dedicated security teams who work to help keep our customers’ accounts secure from fraudulent transactions, everyday. We apologize for any inconvenience caused to affected customers who use our 2FA process and we will continue to work hard to address this issue.”