New Two-Step Authentication Exploit Targets PayPal Accounts

Researchers at the two-factor authentication security provider Duo Labs have announced that they have discovered a bug in the iOS and Android versions of the PayPal app, which would enable anyone with knowledge of the new backdoor method full access to a person’s account information and personal details, even if it was supposedly protected behind their two-step authentication servers.


Photo: littleny / Shutterstock

Duo Labs member Zach Lanier says he first encountered the issue when a friend of Duo’s CEO mentioned that he was able to bypass the verification process on his own account back in March of this year.

Two step verification works by linking a user’s cell phone or specialized keychain to their PayPal account, which receives a uniquely anonymized code each time a login is attempted with their credentials.

No numbers have been released yet, which might clue us in as to how many accounts have been compromised since the hole hit the scene. However PayPal is expected to unveil this data as the information becomes available.

PayPal was quick to acknowledge the issue on their blog, assuring users of the convenient online payment service that their accounts would remain safe even while engineers at the company temporarily disable the 2FA system until the bug can be dealt with appropriately.

“Through the PayPal Bug Bounty Program we were recently made aware of a potential way to bypass our two-factor authentication (2FA) log in process for a small number of our mobile products. As this researcher has chosen to share issue publicly and because your security is important to us, we wanted to share a bit more information with you.”

Rough estimates by the company themselves put a hotfix at around the end of July, though they noted that it could be deployed earlier if preliminary tests run without a hitch.

In the meantime PayPal is confident that they will be able to mitigate any damage that might have or still could be caused as a result of the exploit, and reminded everyone that even though 2FA is an important piece in the security pie, there is still a collection of protection measures that will prevent hackers from gaining unauthorized access to your information.

“We want to emphasize that all PayPal accounts remain secure. The workaround identified by the researcher is related to an extra layer of security (2FA) some customers have chosen to add to their PayPal account. Customers who do not use the PayPal security key (physical card or SMS codes) as an additional step to log into their accounts are not impacted in any way.

If you have chosen to add 2FA to your PayPal account, your account also remains secure and 2FA will continue to operate as usual on the vast majority of PayPal product experiences. Even though 2FA is an additional layer of authentication, PayPal does not depend on 2FA to keep accounts secure. We have extensive fraud and risk detection models and dedicated security teams that work to help keep our customers’ accounts secure from fraudulent transactions, everyday.”