How Did A 17-Year-Old Crack PayPal’s Two Factor Authentication?

PayPal has discovered yet another flaw in its two-factor authentication system. Actually, it’s more accurate to say that PayPal has had another flaw discovered for them.  What a teenager has done is turn PayPal’s two factor authentication into one factor authentication, if the shopper is also using eBay.

The honor goes to Australian 17-year-old—and amateur cybersecurity flaw finder—Joshua Rogers who determined that, even though PayPal offers the two factor authentication security feature to make it harder for cyberthieves to take over accounts, two-factor can be easily ignored or worked around in two key ways.

With two-factor authentication enabled, users must enter a separate six-digit passcode after entering in user and password information. Because the code is generated separately and via text message, the theory is that it is harder for thieves to gain access.

That theory, however, only holds up if the passcode is actually needed to log into PayPal, which Rogers has recently demonstrated is not the case.  The workaround flows from a flaw in the page on eBay that lets users access their eBay account through PayPal.  Linking the accounts creates a cookie, which tricks the PayPal application into thinking someone has logged in, even if a six-digit code has not been entered.  By linking and delinking eBay accounts, Rogers notes, cyberthieves could repeatedly gain access to a compromised PayPal account.

To make this particular attack work, the invader would already need to know a user’s log-in and password information.  That could happen in quite a few ways: shoulder surfing (looking over someone’s shoulder as they type in those credentials); a shopper who re-uses passwords in multiple accounts, one of which was already violated; tricking the user into filling out a bogus password form on a page designed to look Paypal’s page; or password-guessing. The whole point of two-factor authentication is to make such efforts inadequate to gain access. It seems that a cookie can do more than ruin an appetite. It can also undermine two-factor authentication.

The second workaround also relies on a potential criminal having outside knowledge about their victim’s profile. Instead of digit-based two-factor authentication, users can also answer a security question, some of which (like “What school did you attend first?”) can be found by any reasonably good internet researcher.

By pulling the plug on the bug on his blog, Rogers has forfeited PayPal’s normal reward.  Rogers said he first made PayPal aware of the flaw in early June and when nothing had happened as of early August, he decided to forgo the money and just personally post the problem—probably costing himself about $3,000, reports PC World.

“I don’t care about the money, no,” he said via E-Mail to PC World. “Money isn’t everything in this world.”