PayPal scrambles to plug two-factor authentication flaw

Global payments giant PayPal is currently patching its systems after security researchers Duo Security showed the two-factor authentication protection for user accounts could be easily bypassed.

Two-factor authentication (2FA) adds another layer of security by introducing a challenge and response step when logging in. Correctly set up, 2FA can prevent unauthorised logins even when usernames and passwords have been captured.

Bypassing PayPal's 2FA system turned out to be trivial for the researchers. It was discovered by accident by Daniel Blake Saltman who noticed that if he enabled his iPhone to flight mode at the right moment, he could bypass the 2FA requirement and access his own account.

Duo Security's Labs research team found that authentication flow in the application programming interface for PayPal's web services doesn't enforce 2FA in all situations.

The vulnerability lies within PayPal's mobile clients for Apple's iOS and Google's Android operating systems. These do not support 2FA as of yet, and the researchers discovered they can be tricked into ignoring it completely, providing full access to PayPal accounts that have the security measure enabled.

By capturing and analysing traffic between a mobile PayPal client and the payments processors webservers, the researchers discovered that a simple attribute was all that prevent the mobile client from proceeding with the log in.

If the 2fa_enabled attribute sent back to the server from the mobile client was changed to "false" from "true", it was possible to gain full access to a user's PayPal account, as the 2FA request was ignored.

The researchers were also able to write a home-brewed PayPal client in Python that among other things enabled them to send money after authenticating with the mobileclient.paypal.com API.

PayPal has been notified by the researchers and has put in temporary measures to prevent the security hole from being exploited, according to Duo Labs. A full, permanent fix is expected on July 28.

Despite the vulnerability, Duo Labs chief technical officer Jon Oberheide cautioned users against not using 2FA.

Does [the PayPal security hole] mean you should avoid enabling two-factor across the web? No way! While implementation flaws may limit the efficacy in some specific cases like this one, properly implemented 2FA is one of the most effective technologies to secure your accounts, so apply liberally!

A PayPal spokesperson referred iTnews to an official statement by its director of global initiatives, Anuj Nayar, who said customer accounts remained secure despite the 2FA flaw discovered by the researchers.

He said Paypal had taken the precaution of disabling the ability for customers with 2FA enabled to log into their accounts on the Paypal mobile app. These customers will have to use the Paypal mobile website to log in while the issue is resolved.

Nayar said Paypal doesn’t depend on 2FA solely to keep accounts secure, and utilised 'extensive' fraud and risk detection models with dedicated security teams to keep customers safe from fraudulent transactions.

Earlier this year PayPal's parent company eBay suffered a mass data breach which saw unknown attackers capture employee logins and access user data such as passwords and email addresses.

While PayPal was not affected by that breach, the company asked around 145 million customers to change their passwords in the wake of the incident.