Results 1 to 1 of 1
-
29th Jun 2014, 01:32 PM #1
PayPal’s Two-Factor Authentication Bypassed
A vulnerability in the authentication flow of the PayPal API web services allowed access to an account protected by PayPal’s two-factor authentication (2FA) mechanism.
2FA is a supplementary security measure which requires entering an additional code that is generally sent to the owner’s email address or mobile phone as a short text message.
PayPal mobile apps cannot be used to access accounts that have 2FA enabled, but it seems that the log in procedure is still carried out in lack of the supplementary security code and, when the signal that the log in is protected by the additional code returns from the server, access to said account is blocked.
On iOS, by enabling the Airplane Mode before the 2FA signal returns from the server and then re-enabling connectivity of the device, it is possible to gain access to an account protected by the double security measure.
According to Duo Security researcher Zach Lanier, the flaw was possible because during the authorization process of 2FA-enabled accounts, a session token was provided after logging in with the username and password; this allowed various account-related actions to be performed, including money transfers.
The discovery was made by Dan Saltman, a developer who, at the end of March, reported the issue to PayPal via the Bug Bounty program, but received an automated response only after about a month, letting him know that the investigation was ongoing. Meanwhile, he contacted Duo Security for validation of the flaw.
Duo Security confirmed the issue. Upon further investigation, they reproduced the 2FA bypass with mobile apps for the Android operating system. The security firm also contacted PayPal on April 23 and received a reply two days later, informing that the case was still under investigation.
After an email exchange between the security firm, which informed on June 9 of its public disclosure intent on June 25, and PayPal (that extended over the course of a month), the latter implemented a temporary fix for the problem.
In a blog post, PayPal Senior Director of Global Initiatives Anuj Nayar informs customers that “all PayPal accounts remain secure” and that the issue affected only users with the 2FA extra security measure enabled.
“As a precaution we have disabled the ability for customers who have selected 2FA to log in to their PayPal account on the PayPal mobile app and on certain other mobile apps. These customers will still be able to log in to their PayPal account on a mobile device by visiting the PayPal mobile web site,” he added.Kepler Reviewed by Kepler on . PayPal’s Two-Factor Authentication Bypassed http://i1-news.softpedia-static.com/images/news-700/PayPal-s-Two-Factor-Authentication-Bypassed.jpg A vulnerability in the authentication flow of the PayPal API web services allowed access to an account protected by PayPal’s two-factor authentication (2FA) mechanism. 2FA is a supplementary security measure which requires entering an additional code that is generally sent to the owner’s email address or mobile phone as a short text message. PayPal mobile apps cannot be used Rating: 5
Sponsored Links
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Similar Threads
-
Two questions: about paypal and offshore hosting
By Zeokat in forum Webmasters, Money MakingReplies: 4Last Post: 22nd Jan 2010, 01:51 PM -
[Buying] Indian Unverified Paypal with email access atleast Two months old
By raryan99 in forum Completed TransactionsReplies: 10Last Post: 4th Jan 2010, 09:58 AM -
bypassing paypal set up
By Clowner in forum PaypalReplies: 21Last Post: 5th Jul 2009, 04:31 AM -
A Question About paypal.
By musman1986 in forum PaypalReplies: 16Last Post: 14th Jun 2008, 10:19 AM -
Trade Epassporte for paypal money
By Wau in forum Webmasters, Money MakingReplies: 0Last Post: 19th May 2008, 09:50 AM
themaCreator - create posts from...
Version 3.24 released. Open older version (or...