Categories: SecurityWorkspace

PayPal Forced To Issue Workaround For Broken Security Key

eBay-owned payments giant PayPal has pushed out a fix for a bug that would have allowed an attacker to easily get around its two-factor authentication Security Key.

Researchers said the vulnerability effectively made the protection layer useless, as exploits could either be carried out from a mobile device or using a specially- designed program.

The bug was initially discovered by entrepreneur Dan Saltman, who found that despite having two-factor enabled he could still login via the PayPal mobile app without having to enter the one-time code the Security Key requires to allow a user in.

PayPal 2FA rendered almost useless

The 2FA protection doesn’t actually work on mobile clients – a user is quickly logged in and then logged out again, with a notification telling them they can’t use the app as it doesn’t support the security feature.

But when Saltman, using flight mode, turned off connectivity quickly after being logged in, he found that if he turned the connectivity back on he remained signed in and able to make payments.

Saltman approached researchers at Duo Security, who found the issue was more serious and lay in the application programming interfaces (APIs) PayPal was using. Those APIs were sending session tokens to mobile clients before even asking for two-factor authentication.

Senior security researcher at Duo, Zach Lanier, created a quick program that replicated the mobile app and was able to swap out some code to tell PayPal servers the Security Key feature was not switched on for the user.

“We developed a proof-of-concept exploit to leverage this lack of 2FA enforcement, interfacing with the PayPal API directly and effectively mimicking the PayPal mobile app as though it were accessing a non-2FA account,” Lanier said in a blog post.

“The exploit communicates with two separate PayPal API services – one to authenticate (only with primary credentials), and another to transfer money to a destination account.

“Note that the standard browser-based PayPal web interface is not affected by the bypass. However, since an attacker can simply use the underlying API to gain full account access, this distinction is purely academic.”

PayPal has now stopped sending those session tokens from its API to mobile clients where 2FA is enabled. It is also planning a fuller fix in late July.

“As a precaution we have disabled the ability for customers who have selected 2FA to log in to their PayPal account on the PayPal mobile app and on certain other mobile apps until an identified fix can be implemented in the next few weeks,” a spokesperson said.

PayPal’s owner has had a bad year for security. eBay announced it was breached earlier this year, asking all users to change their passwords.

Are you a security pro? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago