How to bypass PayPal two factor authentication

How to bypass PayPal two factor authentication
One of PayPal’s primary mechanisms to protect accounts from being hacked may have been fundamentally flawed for years.

That’s the concern raised by security researchers who uncovered a method of bypassing PayPal’s two-factor authentication (2FA), the technology that is supposed to protect your account should your username and password fall into the wrong hands.

As the video below demonstrates, when users log into a PayPal account which has 2FA enabled using one of the company’s smartphone apps they are briefly logged in *before* a message appears explaining that the feature is not compatible with mobile devices.

If you’re quick enough though, you can disable your device’s internet access (by enabling “Airplane mode”) temporarily. If you then re-enable net access you remain logged into the eBay account, having waltzed past PayPal’s two-factor authentication check.

Sign up to our free newsletter.
Security news, advice, and tips.

Duo Security, who publicised the flaw, claims that the “shoddy” vulnerability lies primarily in the authentication flow for the PayPal API web service — an API used by PayPal’s official mobile applications, as well as numerous third-party merchants and apps — and also partially in the official iOS and Android mobile apps themselves.

Duo’s blog post goes into much more detail, and shows that the problem was initially discovered by Dan Saltman of Everydaycarry.com.

Saltman informed PayPal’s security team about the bug back in March, but after receiving a lack of response turned to Duo – specialists in two-factor authentication – to see if they could confirm the security flaw and leverage any contacts they had inside PayPal.

There then followed a fair amount of back-and-forth between the companies, with Duo seemingly frustrated at slow response from PayPal, and PayPal requesting that Duo delayed its public disclosure of the flaw.

Views may differ as to whether Duo was right to go public about the flaw when it did, but now the news is out.

It appears to me that PayPal made it much too easy for fraudsters to trick PayPal into believing a user had not enabled two-factor authentication, even when they had.

And, the implication is that the flaw in PayPal’s systems may have been present since the firm launched its first mobile app way back in 2008.

Of course, the 2FA workaround can’t be put into play by hackers if they don’t know your PayPal password. That’s another reason why it’s so important to use a unique, hard-to-crack password for every website that you access, as well as being on your guard from phishing attacks and keylogging spyware.

PayPal, owned by online auction giant eBay, was reported by The Guardian as saying that “all PayPal accounts remain secure”, but that they have taken action to mitigate the issue:

As a precaution we have disabled the ability for customers who have selected 2FA to log in to their PayPal account on the PayPal mobile app and on certain other mobile apps until an identified fix can be implemented in the next few weeks.

eBay, of course, has had its own security headaches this year.

What do you think of this issue? Was Duo Security right to publicise the flaw? Has PayPal dropped the ball when it comes to implementing two-factor authentication? Leave a comment below sharing your thoughts.

This article originally appeared on the Lumension blog.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.