PayPal two-factor authentication vulnerability revealed

Duo Security this week unveiled a massive security vulnerability in PayPal's two-factor authentication system which would have allowed attacked to bypass the security system and gain access to user's accounts where they would have been able to make unauthorized payments.

The vulnerability is has to have been in the authentication flow for the PayPal API web service which is used by PayPal's official mobile application, as well as third-party merchants and apps.  Duo Security waited until PayPal fixed the issue before publicly unveiling this vulnerability, a post from the security firm said the following:

"As of the date of this post (June 25), PayPal has put a workaround in place to limit the impact of the vulnerability, and is actively working on a permanent fix,"

"In light of the vulnerability reporting timeline and the trivial discoverability of the vulnerability, we have elected to publicly disclose this issue, so that users can be informed to the risks to their PayPal accounts."

It was discovered that even though PayPal's mobile apps do not support 2FA (two-factor authentication) enabled accounts, it was possible to "trick" PayPal's mobile applications into ignoring a 2FA flag on an account, in turn allowing an attacker to log in without requiring secondary authentication — which is usually sent either to a user's mobile phone or a credit-card sized security code device.  This was all possible by interfacing directly with the PayPal API.  

Duo Labs' proof-of-concept was built on a Python script which was able to communicate with two separate PayPal API services, one to authenticate and the other to transfer money to another account.  PayPal have implemented a workaround on June 23rd, with a permanent fix being targeted for July 28th.

PayPal's senior director of global initiatives, Anuj Naya, said that "Customers who do not use the PayPal security key (physical card or SMS codes) as an additional step to log into their accounts are not impacted in any way.  He also went on to say that:

"If you have chosen to add 2FA to your PayPal account, your account also remains secure and 2FA will continue to operate as usual on the vast majority of PayPal product experiences. Even though 2FA is an additional layer of authentication, PayPal does not depend on 2FA to keep accounts secure."

Last month, PayPal's parent company, eBay, was in the spotlight after a massive privacy breach after an attack on May 21 which compromised a database holding non-financial data.  Click here for more info on eBay's privacy breach.