A teenage whitehat hacker said he has found a simple way that attackers can bypass the two-factor authentication system PayPal uses to protect user accounts.
The circumvention requires little more than spoofing a browser cookie set when users link their eBay and PayPal accounts, according to Joshua Rogers, a 17-year-old living in Melbourne, Australia. Once the cookie—which is tied to a function PayPal identifies as “=_integrated-registration”—is active in a user’s browsing session, the two-factor authentication is circumvented, Rogers reported. That means attackers who somehow acquire someone else’s login credentials would be able to log in without having to enter the one-time passcode sent to the account holder’s mobile phone.
Rogers said he reported the vulnerability privately to PayPal on June 5. He said he went public two months later after receiving no response. He went on to write:
Once you’re actually logged in, a cookie is set with your details, and you’re redirected to a page to confirm the details of the process. And this is where the exploit lays. Now just load http://www.paypal.com/ and you are logged in and don’t need to re-enter your login.
So, the actual bug itself is that the “=_integrated-registration” function does not check for a 2FA code, despite logging you into PayPal.
You could repeat the process using the same “=_integrated-registration” page unlimited times.
The technique does require an attacker to have the victim’s password—but that’s precisely the scenario two-factor authentication is supposed to protect against.
Rogers is the same hacker who in January was reported to police after finding a vulnerability in a government website. He has provided a video demonstration of the PayPal vulnerability, shown below.
Update: PayPay officials have released the following statement:
We are aware of a two-factor authentication (2FA) issue that is limited to a small amount of integrations with Adaptive Payments. 2FA is an extra layer of security some customers have chosen to add to their PayPal accounts. We are working to get the issue addressed as quickly as possible. It is important to clarify that 2FA provides extra assurance to keep accounts secure, however usernames and passwords are still required to gain access to all PayPal accounts.
Customers who do not use the PayPal security key (physical card or SMS codes) as an additional step to log into their accounts are not impacted in any way. If you have chosen to add 2FA to your PayPal account, your account will continue to operate as usual on the vast majority of PayPal product experiences. We have extensive fraud and risk detection models and dedicated security teams who work to help keep our customers’ accounts secure from fraudulent transactions, everyday. We apologize for any inconvenience caused to affected customers who use our 2FA process and we will continue to work hard to address this issue.