14 DAY TRIAL // Benjamin Kunz Mejri, CEO of Vulnerability Lab, has discovered a method of bypassing PayPal's authentication procedures on its mobile applications, even if two-factor authentication (2FA) is turned on.
When a user tries to login with the wrong credentials multiple times on the PayPal website on its desktop, the service blocks his access to the account and asks him to call a company representative to verify his identity, or to open a ticket.
This is a standard procedure, and the user is not granted access to his account until he follows this step.
However, Mr. Mejri has found that by switching to PayPal's Android and iOS apps, users can bypass the authentication procedure and access the "blocked" account.
"Even if the account is restricted the user can access via the mobile API by using the existing cookies," says Mejri, referring to a technique which has him switch the expired cookies with valid session cookies.
By doing this, he is redirected to the PayPal dashboard when using the mobile apps, even if his account is considered "blocked" when accessing it from a desktop.
There's a potential of fraud if the bug is exploited
Inside the dashboard he was able to interact with account settings, and according to Mr. Mejri, there's a potential of fraud if an attacker can gain access to "blocked" accounts through an authentication bypass and then initiate payments or money transfers.
According to Mejri, he contacted PayPal but company employees were unable to reproduce his steps.
After waiting for four months, Mejri published his findings.
This is the second time Mejri and PayPal's security team are at odds, Mejri having previously publicly disclosed an unpatched bug in October 2014, after PayPal failed to properly communicate with him. After the public disclosure, PayPal did acknowledge and patch the bug. Mejri claims he was not rewarded for his finding according to the company's bug bounty program.
