News

Researchers: Two-factor authentication PayPal was easy to bypass

By admin
Spread the love

Researchers have discovered that PayPal’s two-factor authentication was trivial to circumvent. Two-factor authentication is intended to better secure accounts, but the PayPal variant offered hardly any extra protection in practice.

The vulnerability was discovered by security company Duo Security. When a PayPal account has two-factor authentication enabled, the PayPal server sends the variable ‘2fa_enabled’ with the value ‘true’. By intercepting the traffic and changing that value to “false,” the process could be completely bypassed, the company found.

Incidentally, an attacker must still have the username and password of a PayPal user. These could possibly be intercepted with a keylogger, after which the extra protection of two-factor authentication is gone. An attacker can then set up a fake login attempt on his own computer, bypassing the additional login protection.

The researchers created their own Python script that exploited the vulnerability, allowing it to bypass authentication and set up a rogue transaction. This was necessary because the PayPal mobile apps don’t yet support accounts with two-factor authentication: the variable ‘2fa_enabled’ is intended to throw an error if a user who has the extra login protection enabled tries to log in anyway.

PayPal was notified of the security issue in late March, but only implemented a temporary workaround last week that makes the issue impossible. A final solution is not expected until the end of July.

You might also like
News

Private: How can I retrain to the IT sector?

News

Private: A YouTube video title that works? Youtube is going to help

News

Rip Felix Baumgartner: these are his best Skydive stunts

News

Microsoft Office Direct Download Links of version 2021, 2019, 2016, 2013, 2010

News

Times change: The trending page disappears from YouTube

News

Private: Racist videos on TikTok are being blocked by Google Veo 3