August 22, 2016 by

PayPal Patches Two-Factor Authentication Vulnerability


PayPal has patched a vulnerability that allowed an attacker to bypass the website’s two-factor authentication procedure on its portal online.

A 2FA (two factor authentication) bypass vulnerability that was discovered in the official PayPal website (api) web-application) is now patched by the payment processor. The vulnerability existed in the means through which PayPal’s API implemented the “PayPal preview” portal.

Fundamentally, if a user logged in via the website’s preview portal to then leave the browser open, an attacker had the means to open the main login portal to reach the target’s PayPal account, while circumventing the 2FA security protocol.

Notably, the exploit was only triggered if the attacker gained access to a victim’s browser.

Related read: It’s #2FactorTuesday. It’s Time to Embrace Security

The exploit was discovered by a cybersecurity researcher at Vulnerability Labs, who detailed the process in an advisory that included the proof of concept of the exploit.

The steps are:

  1. Open PayPal UK Login Portal in a new tab(keep it open)
  2. On the other tab, open PayPal Preview Login Portal
  3. Login to your account in the URL which is opened in step 2
  4. Enter credentials in the new window which appears
  5. Refresh the page which was opened in step 1
  6. Now you will be logged, Click on view account button which will lead you to your account and the 2 step verification will be bypassed.

As a means to fix the vulnerability, security researcher Shawar Khan suggested verification checks to be deployed in every PayPal login portal, even if the user is already logged in.

For its part, PayPal has completely disabled the “preview” portal link described in the advisory, altogether.

The vulnerability was reported to PayPal on May 13th, 2016 and PayPal’s bug bounty program took notice a day later, before issuing feedback later in May. The patch was eventually issued on July 10th before the vulnerability eventually gained public disclosure this month.

Image credit: Flickr.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Reddit [Finally] Offers Two-Factor Authentication to All Users

One of the most popular, most-visited and most-populated websites in the world is switching on 2FA...

Read more arrow_forward

PayPal’s TIO Data Breach Affects 1.6 Million Customers

PayPal-acquired TIO, a Canadian payments processing company, has suffered a data breach that sees...

Read more arrow_forward

Google Plans 2FA Upgrade with Hardware Replacements

Google is reportedly close to rolling out a new hardware-based replacement solution as an upgrade...

Read more arrow_forward