We developed a proof-of-concept exploit to leverage this lack of 2FA enforcement, interfacing with the PayPal API directly and effectively mimicking the PayPal mobile app as though it were accessing a non-2FA account. While PayPal’s mobile apps do not currently support 2FA-enabled accounts, it is possible to effectively trick the PayPal mobile applications into ignoring the 2FA flag on the account, subsequently allowing the an attacker to log in without requiring secondary authentication. The protection offered by the two-factor Security Key mechanism can be bypassed and essentially nullified.
In light of the vulnerability reporting timeline and the trivial discoverability of the vulnerability, we have elected to publicly disclose this issue, so that users can be informed to the risks to their PayPal account security.ĭuo would also like to thank Dan Saltman from Everyda圜arry for his assistance in the initial reporting of this issue.Īn attacker only needs a victim’s PayPal username and password in order to access a two-factor protected account and send money. The vulnerability lies primarily in the authentication flow for the PayPal API web service () - an API used by PayPal’s official mobile applications, as well as numerous third-party merchants and apps - but also partially in the official mobile apps themselves.Īs of the date of this post (June 25), PayPal has put a workaround in place to limit the impact of the vulnerability, and is actively working on a permanent fix.
Security Key mechanism, in PayPal nomenclature). Researchers at Duo Labs, the advanced research team at Duo Security, discovered that it is possible to bypass PayPal’s two-factor authentication (the Duo labs June 25th, 2014 Zach Lanier Duo Security Researchers Uncover Bypass of PayPal’s Two-Factor Authentication