This article is more than 1 year old
PayPal patches 2FA portal bug
Attacker could log in to account without triggering confirmation text
PayPal has patched a two-factor authentication (2FA) bug that could have let an attacker bypass its login processes.
Turned up by Vulnerability Labs' Shawar Khan, the problem existed in how PayPal's API implemented the “PayPal preview” portal. The good news is that it was an exploit that needed access to the victim's browser.
Here's the process documented in the advisory:
- 1. Open PayPal UK Login Portal in a new tab(keep it open)
- 2. On the other tab, open PayPal Preview Login Portal
- 3. Login to your account in the URL which is opened in step 2
- 4. Enter credentials in the new window which appears
- 5. Refresh the page which was opened in step 1
- 6. Now you will be logged, Click on view account button which will lead you to your account and the 2 step verification will be bypassed.
In other words: if a user has logged in via the preview portal and leaves the browser open, an attacker opening the main login portal would reach the victim's account without triggering the 2FA process.
The "preview portal" linked in the advisory no longer responds. ®