PayPal Patches Two-Factor Authentication Vulnerability


PayPal has patched a vulnerability that allowed an attacker to bypass the website’s two-factor authentication procedure on its portal online.

A 2FA (two factor authentication) bypass vulnerability that was discovered in the official PayPal website (api) web-application) is now patched by the payment processor. The vulnerability existed in the means through which PayPal’s API implemented the “PayPal preview” portal.

Fundamentally, if a user logged in via the website’s preview portal to then leave the browser open, an attacker had the means to open the main login portal to reach the target’s PayPal account, while circumventing the 2FA security protocol.

Notably, the exploit was only triggered if the attacker gained access to a victim’s browser.

Related read: It’s #2FactorTuesday. It’s Time to Embrace Security

The exploit was discovered by a cybersecurity researcher at Vulnerability Labs, who detailed the process in an advisory that included the proof of concept of the exploit.

The steps are:

  1. Open PayPal UK Login Portal in a new tab(keep it open)
  2. On the other tab, open PayPal Preview Login Portal
  3. Login to your account in the URL which is opened in step 2
  4. Enter credentials in the new window which appears
  5. Refresh the page which was opened in step 1
  6. Now you will be logged, Click on view account button which will lead you to your account and the 2 step verification will be bypassed.

As a means to fix the vulnerability, security researcher Shawar Khan suggested verification checks to be deployed in every PayPal login portal, even if the user is already logged in.

For its part, PayPal has completely disabled the “preview” portal link described in the advisory, altogether.

The vulnerability was reported to PayPal on May 13th, 2016 and PayPal’s bug bounty program took notice a day later, before issuing feedback later in May. The patch was eventually issued on July 10th before the vulnerability eventually gained public disclosure this month.

Image credit: Flickr.