PayPal Two-Factor Authentication Bypassed via Mobile App-Web API Vulnerability
A vulnerability between PayPal’s mobile app and web service authentication flow enabled two-factor authentication (2FA) bypass, according to Duo Security’s blog post. A temporary fix has been deployed by PayPal for this issue, which appears to be a design flaw and staff is working on a permanent fix.
“When two-factor authentication is done right and consistently (across services) it provides really great value,” said Zach Lanier, Senior Security Researcher at Duo Security. “But if you have one weak link in the chain, like we’ve seen here – perhaps a design oversight – that makes this all for naught.”
The 2FA-enabled accounts are not supported by PayPal’s mobile app, allowing an attack to trick the 2FA flow and log in without the secondary authentication by integrating the PayPal API into its own app.
The 2FA value was changed to “false” in the server response by the app when the 2FA-enabled accounts were accessed via the researcher’s application. The two API functions were used to communicate with the authentication process and the money transfer process.
“An attacker only needs a victim’s PayPal username and password in order to access a two-factor protected account and send money,” said Zach Lanier. “The protection offered by the two-factor Security Key mechanism can be bypassed and essentially nullified.”
“We have extensive fraud and risk detection models and dedicated security teams that work to help keep our customers’ accounts secure from fraudulent transactions, every day,” PayPal responded.
An official and permanent fix is expected in July.