August 22, 2016 by

PayPal Patches Two-Factor Authentication Vulnerability


PayPal has patched a vulnerability that allowed an attacker to bypass the website’s two-factor authentication procedure on its portal online.

A 2FA (two factor authentication) bypass vulnerability that was discovered in the official PayPal website (api) web-application) is now patched by the payment processor. The vulnerability existed in the means through which PayPal’s API implemented the “PayPal preview” portal.

Fundamentally, if a user logged in via the website’s preview portal to then leave the browser open, an attacker had the means to open the main login portal to reach the target’s PayPal account, while circumventing the 2FA security protocol.

Notably, the exploit was only triggered if the attacker gained access to a victim’s browser.

Related read: It’s #2FactorTuesday. It’s Time to Embrace Security

The exploit was discovered by a cybersecurity researcher at Vulnerability Labs, who detailed the process in an advisory that included the proof of concept of the exploit.

The steps are:

  1. Open PayPal UK Login Portal in a new tab(keep it open)
  2. On the other tab, open PayPal Preview Login Portal
  3. Login to your account in the URL which is opened in step 2
  4. Enter credentials in the new window which appears
  5. Refresh the page which was opened in step 1
  6. Now you will be logged, Click on view account button which will lead you to your account and the 2 step verification will be bypassed.

As a means to fix the vulnerability, security researcher Shawar Khan suggested verification checks to be deployed in every PayPal login portal, even if the user is already logged in.

For its part, PayPal has completely disabled the “preview” portal link described in the advisory, altogether.

The vulnerability was reported to PayPal on May 13th, 2016 and PayPal’s bug bounty program took notice a day later, before issuing feedback later in May. The patch was eventually issued on July 10th before the vulnerability eventually gained public disclosure this month.

Image credit: Flickr.

About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

PayPal’s TIO Data Breach Affects 1.6 Million Customers

PayPal-acquired TIO, a Canadian payments processing company, has suffered a data breach that sees...

Read more arrow_forward

Google Plans 2FA Upgrade with Hardware Replacements

Google is reportedly close to rolling out a new hardware-based replacement solution as an upgrade...

Read more arrow_forward

Twitter Turns on Support for Two-Factor Authentication Apps

Beyond offering its own added layer of security in enabling SMS-based two-factor authentication...

Read more arrow_forward