Teen Shows PayPal’s Two-Step Login is Insecure

An Australian teenager has exposed a flaw in PayPal’s two-step authentication process that could allow hackers to access the accounts of unsuspecting users. The 17-year old security enthusiast, Joshua Rogers, revealed that he was able to bypass the authentication process by spoofing a browser cookie. Such cookies are formed whenever a user links their PayPal account with their eBay profile.


Photo: littleny / Shutterstock

What Is Two-Step Authentication?

This technique is used by a number of websites to secure their user accounts. Since passwords can be lost or forgotten, the two-step verification process is used as an additional security method. PayPal also provides its users with an option of receiving a passcode, which is sent via text message and the user needs to enter this code while logging on.

Also known as the two-factor authentication process, it has become very common, and is used by almost all financial websites that face high risk. It is safe in most cases, because it sends a code through an offline method (mobile messaging), which cannot be accessed by hackers.

Despite being informed about the security shortcoming on June 5, PayPal didn’t fix up the potholes, which forced Rogers to use his personal blog to put up the attack details.

By making it public on his blog, Rogers lost his claim to the prize money that PayPal offers to researchers to report any online flaws to the company. This keeps the flaw a secret until PayPal removes it. While the exact amount of this prize is never revealed, according to Rogers, this may have been around $3,000.

The method followed by Rogers could only be used if the hacker knows the victim’s login or username for eBay and PayPal (which isn’t difficult as a number of malware can steal that information). Once the hacker possesses these details, he can easily create a cookie using the page that links PayPal and eBay accounts. This cookie gives an impression to PayPal that the user has logged in, and so the PayPal server doesn’t go for the two-factor authentication.

He posted the video of his hack on YouTube. When he failed to get PayPal’s attention, he posted the same on his blog.

According to Rogers, the problem is with the eBay owned page that links to the user’s PayPal account. Upon linking, the cookies created by the page force PayPal to assume that the user has logged in even without the two-factor authentication.

He further added that the root cause of the issue is the “=_integrated-registration” function, which fails to check the status of the ‘two-factor authentication’. Getting access to the PayPal account is as easy as linking and de-linking the accounts of e-Bay and PayPal.

Interestingly, even if the user doesn’t have the passcode sent to their mobile, the website gives an option to skip it and rather authenticates the user with the answers to a couple of security questions.

Finding answers to “What’s the name of your first school?” and “What’s the name of the hospital in which you were born?” isn’t the most difficult task for a hacker.

Is PayPal Unsafe?

Before blaming PayPal for this flaw, we must understand that such companies need to find just the correct balance between account security and user convenience. An aggressive security framework would surely frustrate a locked out user.

PayPal isn’t the first website where Rogers has highlighted a bug. Last year, he did the same for a website operated by the transport authorities in Australia. This act earned him a Police caution.

Rogers was successful in getting access to over 600,000 records maintained by the Public Transport Victoria (PTV) website. Some of these records had critical information such as passwords, phone numbers, and credit card numbers. Though he did it with a positive intention and brought this bug to the attention of authorities, the company didn’t take it lightly and informed the Police.

Customers who didn’t opt for the PayPal security key need not be alarmed by this news, as their accounts would operate just as usual. Customers who use 2FA (two factor authentication) key would also not notice any change in their PayPal experience.

The entire episode has been confirmed by a PayPal spokesperson. The company is fully aware that the ‘two factor authentication’ method has some issues that are restricted to a small number of integrations with adaptive payments. PayPal is working to resolve the issue at the earliest. The spokesperson further added that the 2FA is meant to keep the accounts secure, and the customers would still need to submit the username and password before the 2FA to login.