PayPal 2-Factor Authentication hack found by security researcher
PayPal, the online payment service once owned by Elon Musk and now in the hands of eBay, has become a bit of a staple of daily life on the internet. After all, we can use it for all sorts of payments, money transfers, invoicing and receiving money. But is it as secure as we hope?
An Australian security researcher has uncovered a way to hack past PayPal's Two-Factor Authentication (2FA). Joshua Rogers used the vulnerability he discovered with an eBay account:
"The Paypal account you were 'hacking' did NOT have to be affiliated with the eBay account you were using. In my original tests, I had made a new eBay account using a temporary email, and had gotten into my Paypal through the same method", Rogers states.
So, what is going on? It has to do with when you link your PayPal and eBay accounts together. "Once you’re actually logged in, a cookie is set with your details, and you’re redirected to a page to confirm the details of the process. And this is where the exploit lays. Now just load http://www.paypal.com/ , and you are logged in, and don’t need to re-enter your login", Rogers continues.
And herein lies the problem. The integrated registration functionality no longer checks for the Two-Factor Authentication. The SMS message is not sent, despite the added security being enabled.
Rogers alerted PayPal to the problem last month, and the company pledged to fix the issue, but so far has failed to do so. "I originally found this on the 5th of June, 2014, and reported it to Paypal the same day", he says.
The security researcher has taken a video of the problem, and uploaded to YouTube. Perhaps it will shame the company into making a move to protect its customers.