Oftentimes, looking at a given security vulnerability or mistake by a vendor, it’s easy to wonder how on earth the bug got through in the first place or the company didn’t catch the problem earlier. That definitely could have been the case with the recently disclosed bypass of PayPal’s two-factor authentication mechanism, but, as is often the case with security, things aren’t as simple as they appear on the surface.
The 2FA bypass, disclosed this week by researcher Zach Lanier of Duo Security, is a complex issue that involves the way that PayPal’s mobile apps handle authentication for 2FA-protected accounts. The company has introduced a 2FA system that enables users to generate one-time passwords for login, either through the use of a dedicated device or codes sent to their mobile devices. However, PayPal’s iOS and Android apps don’t yet support 2FA, so when a user who has 2FA enabled on his account sends a login request from his mobile device that includes a flag saying that 2FA is enabled, things go a little haywire.
The app will automatically log the user out and show an error message. But, if the user flips the device to airplane mode at the right time, preventing some information from being sent to PayPal, the app will log the user into his account, ignoring the 2FA flag. On the surface, that seems like something the PayPal developers and security engineers should’ve taken care of, but there’s a number of other factors involved that make things more complicated.
PayPal’s functionality is interwoven with a huge number of other apps and Web sites, so rolling out a fix for this issue isn’t as easy as one might think.
“In this particular case, PayPal rolled out two-factor in a web-first manner, without keeping mobile in mind as a first-class citizen. It’s not entirely surprising though if you consider the constraints – if you want to make changes to your authentication flow, but your mobile SDK is baked into thousands upon thousands of third-party mobile apps which all leverage that authentication flow, how do you make any reasonable progress? Again, a modern mobile-first access pattern has thrown a wrench into an otherwise slam-dunk upgrade to account security,” Jon Oberheide, co-founder and CTO of Duo Security, said.
This is a problem that any number of companies, large and small, are facing right now as more and more users migrate to mobile platforms as their primary computing environments. Authentication on the Web side is generally well-understood, but it’s certainly not perfect by any means. On any given day, a casual search of security news can turn up a passel of authentication issues on all kinds of sites, and not just smaller ones, either. As Oberheide, points out, PayPal’s issue illustrates how difficult it is to get these things right.
“If top-notch organizations with sophisticated security engineering groups like PayPal and Google are facing such challenges, how will others fare? We’re confident that the PayPal and Google incidents are just the tip of the iceberg,” he said.
“More broadly, these vulnerabilities are a good example of how the move to cloud and mobile has not always been graceful for organizations and has been disruptive to the way we deploy security controls.”