A vulnerability in the authentication flow of the PayPal API web services allowed access to an account protected by PayPal’s two-factor authentication (2FA) mechanism.
2FA is a supplementary security measure which requires entering an additional code that is generally sent to the owner’s email address or mobile phone as a short text message.
PayPal mobile apps cannot be used to access accounts that have 2FA enabled, but it seems that the log in procedure is still carried out in lack of the supplementary security code and, when the signal that the log in is protected by the additional code returns from the server, access to said account is blocked.
On iOS, by enabling the Airplane Mode before the 2FA signal returns from the server and then re-enabling connectivity of the device, it is possible to gain access to an account protected by the double security measure.
According to Duo Security researcher Zach Lanier, the flaw was possible because during the authorization process of 2FA-enabled accounts, a session token was provided after logging in with the username and password; this allowed various account-related actions to be performed, including money transfers.
The discovery was made by Dan Saltman, a developer who, at the end of March, reported the issue to PayPal via the Bug Bounty program, but received an automated response only after about a month, letting him know that the investigation was ongoing. Meanwhile, he contacted Duo Security for validation of the flaw.
Duo Security confirmed the issue. Upon further investigation, they reproduced the 2FA bypass with mobile apps for the Android operating system. The security firm also contacted PayPal on April 23 and received a reply two days later, informing that the case was still under investigation.
After an email exchange between the security firm, which informed on June 9 of its public disclosure intent on June 25, and PayPal (that extended over the course of a month), the latter implemented a temporary fix for the problem.
In a blog post, PayPal Senior Director of Global Initiatives Anuj Nayar informs customers that “all PayPal accounts remain secure” and that the issue affected only users with the 2FA extra security measure enabled.
“As a precaution we have disabled the ability for customers who have selected 2FA to log in to their PayPal account on the PayPal mobile app and on certain other mobile apps. These customers will still be able to log in to their PayPal account on a mobile device by visiting the PayPal mobile web site,” he added.