Home / Software & Gaming / Security / Paypal ignores two factor authentication bypass bug

Paypal ignores two factor authentication bypass bug

Back in June, security researcher, Joshua Rogers,  discovered a bug in Paypal's two factor authentication system, allowing it to be completely bypassed by logging in through a ‘special' page. Despite Rogers reporting the bypass several times, the company has yet to patch it up or even acknowledge the problem and as a result, the security researcher is now revealing his findings publicly for the first time.

On the 5th of June, 2014, I found a complete bypass for Paypal‘s 2FA service, in which anybody would be able to access a Paypal account that has 2FA setup, by only logging in through a ‘special' Paypal page.” Rogers said in a blog post. “On the 5 August, I have decided to release this publicly, because despite two months given, it still hasn't been fixed.”

secure-paypal-logo1-600x468

The exploit is largely down to how Paypal interacts with eBay. When linking your Paypal account to eBay, you are directed to a login page that contains “=_integrated-registration” in the URL. Once you've logged in, a cookie is saved with all of your details. As long as that cookie is there, your account will automatically login whenever you go to Paypal, eliminating the need to type in your details again.

Doing a quick Google search for this shows that it isn't used for anything other than eBay; thus it is setup purely for Paypal and eBay. Once you're actually logged in, a cookie is set with your details, and you're redirected to a page to confirm the details of the process. And this is where the exploit lays. Now just load http://www.paypal.com/, and you are logged in, and don't need to re-enter your login.”

You could repeat the process using the same “=_integrated-registration” page unlimited times.”

Discuss on our Facebook page, HERE.

KitGuru Says: I'm not a security expert but I'm pretty sure a service as important as Paypal shouldn't be ignoring security researchers when they report a bug or a loophole in the system. Even if this turned out to not be a big deal, the company should still be acknowledging problems when they are reported. What do you guys make of this? 

Source: The Inquirer

Become a Patron!

Check Also

Game Freak confirms data breach following massive Pokémon leak

Following a massive number of Pokémon leaks, including source code, Game Freak has confirmed a data breach. The leak includes Game Freak employee information.

2 comments

  1. lol, i called vodafone reporting about a bug in their system when doing micropayments on prepaid cards.

    they payed me 50.000 € for the info.

    perhaps you should just have informed the correct guy, cause now somebody is making big money with your bug report LMAO. Calling paypal and telling this to the costumer support is stupid…..

  2. *customer