14 DAY TRIAL // A security flaw in PayPal’s authentication system allows an attacker to gain access to an account that has two-factor authentication (2FA) turned on without having to enter the second validation code.
A 17-year-old from Australia discovered that when linking an eBay account with a PayPal one, there is the possibility to log into the latter bypassing the 2FA feature.
2FA is a security measure imposed by many online services to make sure that the owner of the account is the one logging in and that the credentials are not used by an unauthorized third-party.
The same feature is available for the PayPal accounts, although its implementation has been disputed multiple times, researchers managing to find ways to bypass it.
Joshua Rogers from Melbourne also found a way to avoid entering the secondary validation code in order to access the PayPal account. However, in this case, an attacker would require the victim’s credentials, as was the case with a discovery from Duo Security.
Rogers has observed that when trying to link an eBay account to a PayPal one, the user is redirected to a page to provide the username and password for the PayPal account.
After providing the credentials, the user can load the PayPal page and access the account without providing the two-factor authentication code.
According to Rogers, the redirect page contains the function “=_integrated-registration,” which does not check for 2FA and allows accessing the account.
Getting a user’s credentials is no longer a complicated business, and cybercriminals are constantly trying to find ways to bypass additional layers of security, such as the two-factor authentication.
Rogers informed PayPal of his findings on June 5 this year, and he received a few answers, on June 27 and July 4. However, since no fix has been released two months after the company was informed of the flaw, the security researcher decided to publicly disclose the bug.
By doing so, the teenager is no longer entitled to the reward that could be offered through the PayPal’s Bug Bounty program.
The discovery made by Duo Security referred to the mobile application for PayPal, which did not check for the 2FA code if the connection to the server was cut off immediately after sending the login credentials.
The researchers could easily achieve this on an iOS device by turning on the Airplane Mode before the 2FA signal returned from the server. As soon as the connection would be re-enabled, the user would be allowed access to the account, even if the 2FA verification did not take place.
You can check out the demonstration in the video below:
