Bypass Discovered for PayPal's Two-factor Authentication

Photo credit: Alexander Supertramp/
Photo credit: Alexander Supertramp/

Two-factor authentication is the go-to hacker prevention step when it comes to account protection, but hot on the heels of news surrounding major data breaches at eBay, Target and a number of other large retailers, Duo Security researchers have discovered a bypass to PayPal’s two-factor authentication.

Duo Security’s exploit takes advantage of the lack of two-factor enforcement on PayPal’s mobile APIs and subsequently allows the user or attacker to login, all without requiring a secondary authentication. So essentially, an attacker with a PayPal user’s username and password, even if it is a two-factor-enabled account, can access the account and transfer money -- all without two-factor being enforced.

At risk are the 143 million active PayPal users, as well as the large number of vendors that currently use PayPal’s mobile services. Duo Security noted that PayPal (owned by eBay) processed $145 billion in 2012, and $43 billion in Q2 2013 (the most recent quarter with data available). That's approximately $5,445 per second, the firm points out, and $14 billion in 2012 was from mobile payments.

“The numbers are staggering and Duo Security believes that in the rush to secure consumer and enterprise accounts, we will see more security features added as an afterthought,” the group said in a blog. “Unfortunately, these are typically done poorly and can be easily bypassed by attackers.”

The vulnerability lies primarily in the authentication flow for PayPal’s API web services, researchers noted. In particular,, a REST-ful API that uses OAuth for authentication/authorization, does not directly enforce two-factor authentication requirements server-side when authenticating a user.

“The PayPal iOS application exhibited suspicious behavior by briefly showing the user’s account information and transaction history prior to forcefully logging them out,” explained Duo Security’s Zach Lanier, in an analysis. “Based on this behavior, we decided to investigate what was happening communications-wise on the wire. Using Burp, we intercepted and analyzed HTTP/HTTPS traffic between the PayPal mobile apps and remote PayPal web services. In particular, we observed the authentication process, paying close attention to how the service responded to 2FA-enabled accounts versus non-2FA-enabled accounts.”

Duo Security has disclosed the issue to PayPal, which said that it is currently working on this issue, but it is not yet completely patched.

“With the sharp rise of phishing campaigns on PayPal, Duo Security felt that there was a trend toward misuse of PayPal’s services and that the public should be notified of these potential issues,” the firm said.

What’s Hot on Infosecurity Magazine?