05 Aug 2014

Researcher Claims to Bypass PayPal’s Two-Factor Authentication

Australian security researcher Joshua Rogers says he has found a way to infiltrate PayPal accounts in spite of the two-factor authentication security feature, according to PC World.

“On the 5th of June, 2014, I found a complete bypass for Paypal's 2FA service, in which anybody would be able to access a Paypal account that has 2FA setup, by only logging in through a `special’ Paypal page,” the researcher announced on his blog.

When users link their PayPal account to their eBay account, they are asked to log in with their credentials and redirected to a confirmation page. Because of a cookie that stores the registration details, if users reload www.paypal.com before the second login, they will stay logged in without needing to re-enter their details or a security code to validate their identity.

The researcher decided to make this information public after alerting PayPal of this authentication flaw and not receiving an answer.