Back in June, security researcher, Joshua Rogers, discovered a bug in Paypal's two factor authentication system, allowing it to be completely bypassed by logging in through a ‘special' page. Despite Rogers reporting the bypass several times, the company has yet to patch it up or even acknowledge the problem and as a result, the security researcher is now revealing his findings publicly for the first time.
“On the 5th of June, 2014, I found a complete bypass for Paypal‘s 2FA service, in which anybody would be able to access a Paypal account that has 2FA setup, by only logging in through a ‘special' Paypal page.” Rogers said in a blog post. “On the 5 August, I have decided to release this publicly, because despite two months given, it still hasn't been fixed.”
The exploit is largely down to how Paypal interacts with eBay. When linking your Paypal account to eBay, you are directed to a login page that contains “=_integrated-registration” in the URL. Once you've logged in, a cookie is saved with all of your details. As long as that cookie is there, your account will automatically login whenever you go to Paypal, eliminating the need to type in your details again.
“Doing a quick Google search for this shows that it isn't used for anything other than eBay; thus it is setup purely for Paypal and eBay. Once you're actually logged in, a cookie is set with your details, and you're redirected to a page to confirm the details of the process. And this is where the exploit lays. Now just load http://www.paypal.com/, and you are logged in, and don't need to re-enter your login.”
“You could repeat the process using the same “=_integrated-registration” page unlimited times.”
Discuss on our Facebook page, HERE.
KitGuru Says: I'm not a security expert but I'm pretty sure a service as important as Paypal shouldn't be ignoring security researchers when they report a bug or a loophole in the system. Even if this turned out to not be a big deal, the company should still be acknowledging problems when they are reported. What do you guys make of this?
Source: The Inquirer