Researchers: two factor authentication PayPal was easy to get around




Researchers have found that two-factor authentication bypass PayPal was trivial. Two-factor authentication is designed to protect accounts better, but the variant PayPal offered in practice little extra protection.

PayPal The vulnerability was discovered by security firm Duo Security. When a PayPal account two-factor authentication is enabled, sends the PayPal server variable fa_enabled ‘2 ‘with value’ true ‘it. By intercepting the traffic and change its value to “false” the process could be completely bypassed, discovered the company.

Incidentally, an attacker must still have the username and password of a PayPal user. Which could possibly be intercepted, and the added protection of two-factor authentication is gone. With a keylogger Then an attacker could set up a fake login attempt on his own computer with the additional account protection is bypassed.

The researchers made their own Python script that vulnerability abused, causing the authentication could be bypassed and a rogue transaction could be set up. This was necessary because the mobile apps have PayPal accounts with two factor authentication yet support: the variable fa_enabled ‘2 ‘is intended to give a user the additional account protection is enabled, yet want to log an error.

PayPal is the end of March informed of the security issue, but just last week set a temporary workaround that prevents the problem. A final solution is only even expected by the end of July.



In: Technology & Gadgets Asked By: [15564 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »