PayPal left red-faced after more security holes found in two factor authentication

PayPal left red-faced after more security holes found in two factor authentication
Just over a month ago, security researchers revealed that one of PayPal’s primary mechanisms to protect accounts from hackers had been fundamentally flawed for years.

Researchers at Duo Security discovered a method of bypassing the two-factor authentication (2FA) technology used by the site, which is supposed to protect your account should your PayPal username and password fall into the hands of online criminals.

When Duo Security got frustrated by PayPal’s slow response at dealing with the flaw, they decided to go public with details.

That was embarrassing enough for PayPal, but now other researchers have publicly disclosed new methods to bypass what should have been a strong additional layer of protection for PayPal accounts.

Sign up to our free newsletter.
Security news, advice, and tips.

Researchers at Escalate Internet say that the flaw they have uncovered is “extremely simple to execute” and and can be abused by “anyone with a PayPal account and basic computer skills”.

Escale Internet CEO Chase Watts posted an article describing the flaw, and giving step by step instructions on how the exploit can be demonstrated:

Thousands of websites are now utilizing PayPal’s Adaptive Payments – a system that allows you to split payments between multiple merchants. When using Adaptive Payments, most websites require you to connect your PayPal account to their application. When you click to connect to their application, you are forwarded to a page directly on PayPal.com to authenticate this connection. You may enter your PayPal email address and password to login through this page – and you WILL NOT be forwarded to your Two-Step Authentication, you are simply logged in.

While on the surface this doesn’t appear to be a huge security threat because you aren’t necessarily sending money to anyone, you’re simply connecting to an application within their Adaptive Payments sytem. However, after logging in with just your email address and password on this page, you are fully authenticated. This means you can simply go to PayPal.com and be automatically logged into your account – with the two-step authentication being 100% bypassed!

PayPal told SecurityWeek that it was aware of the issue with its two-factor authentication system, and while downplaying the threat, said that it would attempt to address the issue as quickly as possible.

We are aware of a two-factor authentication (2FA) issue that is limited to a small amount of integrations with Adaptive Payments. 2FA is an extra layer of security some customers have chosen to add to their PayPal accounts. We are working to get the issue addressed as quickly as possible. It is important to clarify that 2FA provides extra assurance to keep accounts secure, however usernames and passwords are still required to gain access to all PayPal accounts.

And yes, they’re right. This method merely waltzes around PayPal’s two-factor authentication. It doesn’t help hackers unless they have managed to determine your username and password.

But that’s not the point.

Security-conscious folks enable 2FA for sites like PayPal because they want *more* security than just a mere username and password. We expect websites to have implemented the extra layer of protection competently, not to have made it as useful as a chocolate teapot.

Simultaneously, Australian security researcher Joshua Rogers appears to have found a similar way of bypassing PayPal’s two-factor authentication.

Rogers, who claims he found the bypass in early June, says the flaw is connected with how you can link your eBay account to your PayPal account for easy payment for items you sell on the auction site.

Rogers explained that PayPal apparently entirely ignores 2FA, if you append a particular phrase to the end of the URL in your browser:

When you are redirected to the login page, the URL contains “=_integrated-registration”. Doing a quick Google search for this shows that it isn’t used for anything other than eBay; thus it is setup purely for Paypal and eBay.

Once you’re actually logged in, a cookie is set with your details, and you’re redirected to a page to confirm the details of the process. And this is where the exploit lays. Now just load http://www.paypal.com/ , and you are logged in, and don’t need to re-enter your login.

So, the actual bug itself is that the “=_integrated-registration” function does not check for a 2FA code, despite logging you into Paypal.

Here is a video that Rogers made demonstrating the bypass exploit.

Rogers says he told PayPal on June 5 2014 about the issue, but has now gone public about the flaw because it has still not been fixed.

Whether you think Escalate Internet and Joshua Rogers have acted responsibly in disclosing details of how to bypass PayPal’s 2FA is a debate that will go on and on. But one thing is clear, PayPal’s additional level of security has proven itself to be full of holes.

Even if PayPal does promptly fix these latest issues, are you going to trust it to do its job properly and be more secure in future?

This article originally appeared on the Optimal Security blog.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

One comment on “PayPal left red-faced after more security holes found in two factor authentication”

  1. shipdog7

    Fast forward to August 2019. My PayPal account was compromised by two fraudulent charges totaling $2000. PayPal support told me hackers get into an account and look around to see how much they can take from the account. My bank cancelled and reissued my credit card. Money returned.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.