A security researcher has uncovered a simple method for bypassing the two-factor authentication mechanism that PayPal uses to protect accounts that are tied to eBay accounts.
The vulnerability is related to the way that the login flow works when a user is prompted to connect her eBay account to her PayPal account. The eBay and PayPal sites typically will give users the opportunity to link their two accounts when they go to pay for an eBay item through PayPal. A user can opt not to tie the accounts together, but if she continues through the dialogue to connect them, she is presented with a page that asks for her PayPal login information.
“When you are redirected to the login page(above), the URL contains ‘=_integrated-registration’. Doing a quick Google search for this shows that it isn’t used for anything other than eBay; thus it is setup purely for Paypal&eBay,” Joshua Rogers, an Australian researcher, wrote in a blog post explaining the flaw.
“Once you’re actually logged in, a cookie is set with your details, and you’re redirected to a page to confirm the details of the process. And this is where the exploit lays. Now just load http://www.paypal.com/ , and you are logged in, and don’t need to re-enter your login.”
The problem is that the integrated registration function doesn’t check for the two-factor authentication code, which the user should have to enter before being logged in. PayPal’s two-factor system uses one-time passwords generated either by a small dedicated device or sent by SMS to the user’s cell phone. Users with 2FA enabled on their accounts should not be able to log in without both the username and password and 2FA code.
“If someone has a username and password, but the hacked person has 2FA set up, then they could access the account and send money,” Rogers said via email.
Rogers disclosed the bug to PayPal’s security team in June and the company later said it planned to fix it, but that was a month ago, he said. He provided some of the details of the flaw on his blog, along with a video demonstrating the technique.
“It is an important one to fix. But it’s also easy to tell if an account has been taken over using this should someone attempt to do so. So user account compromise could be quickly noticed and remedied in the event that it was used at any sort of scale,” said Robert Hansen, a security researcher and vice president-labs at WhiteHat Security.
This isn’t the first time that PayPal’s 2FA system has been found lacking. In June, researchers at Duo Security published another technique for bypassing the system, thanks to a flaw in the way the servers handle requests from certain mobile apps.