PayPal patches bone-headed two factor authentication bypass

No phone? No worries

Update Paypal has patched a boneheaded two factor authentication breach that allowed attackers to switch off the critical account control in minutes by changing a zero to a one.

British MWR InfoSecurity consultant Henry Hoggart (@_mobisek) discovered and quietly reported the flaw to the payment giant.

Attackers with username and passwords in hand need only mess with post requests changing securityquestion0 to securityquestion1 for two factor authentication to be bypassed.

He says he found the flaw while needing to make a PayPal payment in a reception blackspot.

"Recently I was in a hotel needing to make a payment, there was no phone signal so I could not receive my two factor authentication token," Hoggart says.

"Luckily for me PayPal’s two factor authentication took less than five minutes to bypass."

Security experts across the internet were mocking PayPal over the simplicity of flaw with some calling it "embarrassing" and asking if the company's security technicians were asleep.

Two factor authentication is a modern benchmark for any organisation serious about securing user accounts. It introduces tough but not insurmountable barriers that require hackers to steal an external token, often over vulnerable SMS, before usernames and passwords can be abused.

"... we know all too well that many users either choose weak passwords or reuse the same password on multiple sites," security man Graham Cluley says.

"When built properly, two-factor authentication can make it harder for attackers to break into your account in these situations."

PayPal took about three days to fix the flaw. ®

Updated to add

A Paypal spokesperson sent us the following statement:

PayPal takes the security of our customers' data, money and account information extremely seriously. We worked quickly to resolve the reported issue. We do not have evidence to suggest that PayPal accounts were impacted in any way.

Sponsored: The Joy and Pain of Buying IT - Have Your Say


Biting the hand that feeds IT © 1998–2017