PayPal two-factor authentication vulnerability revealed

Duo Security has unveiled a vulnerability in PayPal's two-factor authentication system that allows attackers to bypass the security system and make unauthorised payments from a user's account.

According to the Michigan-based two-factor authentication security startup's research team, Duo Labs, the vulnerability lies in the authentication flow for the PayPal API web service, which is an API used by PayPal's official mobile applications, as well as third-party merchants and apps.

In a blog post, Duo Security said it waited until PayPal had put a workaround in place before publicly unveiling the vulnerability.

"As of the date of this post (June 25), PayPal has put a workaround in place to limit the impact of the vulnerability, and is actively working on a permanent fix," the post said. "In light of the vulnerability reporting timeline and the trivial discoverability of the vulnerability, we have elected to publicly disclose this issue, so that users can be informed to the risks to their PayPal accounts."

According to Duo Security, all an attacker needs is a victim's PayPal username and password to access a two-factor protected account and send money, with the protection offered by PayPal's two-factor Security Key mechanism bypassed and effectively nullified.

Duo Labs discovered that, although PayPal's mobile apps do not support 2FA (two-factor authentication)-enabled accounts, it was possible to effectively "trick" PayPal mobile applications into ignoring a 2FA flag on an account, subsequently allowing an attacker to log in without requiring secondary authentication — which is usually sent either to a user's mobile phone or a credit-card sized security code device.

The security research team was able to leverage the lack of 2FA enforcement by interfacing with the PayPal API directly and effectively mimic the payment platform's mobile app as though it were accessing a non-2FA account.

Duo Labs' proof-of-concept Python script exploit was able to communicate with two separate PayPal API services — one to authenticate, and the other to transfer money to another account destination.

While the standard browser-based PayPal web interface was not affected by the bypass, according to Duo Security, an attacker can use the underlying API to gain full account access.

Duo security said that, as of re-testing on June 23, PayPal had implemented a workaround, with a permanent fix slated for 28 July.

In a statement posted on its PayPal Forward Community page, PayPal's senior director of global initiatives, Anuj Naya, said that despite the vulnerability, "all PayPal accounts remain secure".

"The workaround identified by the researcher is related to an extra layer of security (2FA) some customers have chosen to add to their PayPal account," said Naya. "Customers who do not use the PayPal security key (physical card or SMS codes) as an additional step to log into their accounts are not impacted in any way.

"If you have chosen to add 2FA to your PayPal account, your account also remains secure and 2FA will continue to operate as usual on the vast majority of PayPal product experiences. Even though 2FA is an additional layer of authentication, PayPal does not depend on 2FA to keep accounts secure."

Last month, PayPal's parent company, eBay, informed customers of a massive privacy breach, announcing on 21 May that it had been subject to an attack that compromised a database holding non-financial data.

The company told its users to change their passwords, despite indications that it had not found any evidence to indicate unauthorised activity in customers’ accounts.

According to eBay, the attack saw its employee login credentials compromised as early as late February and early March, allowing access to its corporate network and customer database.