There’s a vulnerability in the way that PayPal handles certain requests from mobile clients that can allow an attacker to bypass the two-factor authentication mechanism for the service and transfer money from a victim’s account to any recipient he chooses.
The flaw lies in the way that the PayPal authentication flow works with the service’s mobile apps for iOS and Android. It’s on the server side, and researchers at Duo Security developed a proof-of-concept app that can exploit the vulnerability. PayPal has been aware of the issue since March and has implemented a workaround, but isn’t planning a full patch until the end of July.
“An attacker only needs a victim’s PayPal username and password in order to access a two-factor protected account and send money. The protection offered by the two-factor Security Key mechanism can be bypassed and essentially nullified,” Zach Lanier, a senior security researcher at Duo Security, wrote in his explanation of the vulnerability and its effects.
“While PayPal’s mobile apps do not currently support 2FA-enabled accounts, it is possible to effectively trick the PayPal mobile applications into ignoring the 2FA flag on the account, subsequently allowing the an attacker to log in without requiring secondary authentication.”
PayPal gives users the option of using a form of two-factor authentication that comes in a couple of forms, each of which generates a one-time password for use during login. The system can be used on the PayPal web site, but it’s not supported by the PayPal mobile apps right now. The way that the vulnerability works, the researchers were able to build an app that tricks the PayPal API into thinking that the mobile app was accessing an account that doesn’t have two-factor authentication enabled, completely ignoring the 2FA protection.
The app they built talks to two distinct APIs at PayPal, one of which handles the authentication and another that handles the money transfer after login. While looking at the vulnerability, Duo’s researchers noticed that when the PayPal servers responded to a POST request from a mobile app for a 2FA-enabled account, the app would then show an error message saying that 2FA wasn’t supported and sends the user back to the login screen. But when they replaced value in the server’s response regarding 2FA to “false”, the app would simply allow the user into the account, bypassing the 2FA protection.
Lanier then looked at the initial server response again and discovered a session identifier.
“As it turned out, ‘session_token’ is used for authorization against mobileclient.paypal.com, an otherwise (publicly) undocumented SOAP-based API that provides additional account-related functionality, including but not limited to sending money,” he wrote.
“We then stepped through the “send money” process in the mobile apps, again capturing traffic with Burp. Through this, we were able to observe the necessary requests/responses and SOAP envelopes (read: painful XML) that make up a PayPal fund transfer from their mobile applications. The funds transfer process turned out to be a four-step exchange, with each request requiring a value unique to the overall transaction.”
Using the app they built to exploit the vulnerability, the researchers were able to transfer money from a 2FA-protected account with just the username and password. In an interview, Lanier said there were any number of ways to accomplish that task, none of which is very complicated.
“There are plenty of cases of PayPal passwords being compromised in giant database dumps, and there’s also been a giant rise in PayPal related phishing,” he said. “That approach is already being used. People have long been and are continuing to do so. The whole two factor thing was supposed to make you feel all warm and fuzzy if your password is compromised. I’d probably use one of these techniques that are pretty darn efficient or maybe iterate through the public dumps of passwords.”
The PayPal bug was discovered by an outside researcher, Dan Saltman, who asked Duo Security for help validating it and communicating with the PayPal security team.