Trivial Bypass of PayPal Two-Factor Authentication On Mobile Devices 47
chicksdaddy (814965) writes "According to DUO, PayPal's mobile app doesn't yet support Security Key and displays an error message to users with the feature enabled when they try to log in to their PayPal account from a mobile device, terminating their session automatically. However, researchers at DUO noticed that the PayPal iOS application would briefly display a user's account information and transaction history prior to displaying that error message and logging them out. ... The DUO researchers investigated: intercepting and analyzing the Web transaction between the PayPal mobile application and PayPal's back end servers and scrutinizing how sessions for two-factor-enabled accounts versus non-two-factor-enabled accounts were handled. They discovered that the API uses the OAuth technology for user authentication and authorization, but that PayPal only enforces the two-factor requirement on the client — not on the server."
The attack worked simply by intercepting a server response and toggling a flag (2fa_enabled) from true to false. After being alerted, PayPal added a workaround to limit the scope of the hole.
Update: 06/26 00:42 GMT by T : (Get the story straight from the source: Here's the original report from DUO.)
Does this work on Slashdot too? (Score:5, Funny)
/comment&FunnyFlag=1
two factor ID based on cell phones is crap (Score:2)
currently the paradigm is if someone has control of your cell phone your two factor ID becomes zero factor ID. This is because nearly all cell phones can collect e-mail, allowing a password reset to be performed. Likewise cell phones display text messages with the second factor. So you are hosed. Even if you have a screen lock on your phone, have you ever lent your phone to a stranger to "make a call" or take a photo?
The workaround for this is to have a second e-mail address that you don't have associate
Re: (Score:2)
It's better than nothing,
To the extent that this fig leaf is accepted in place of having real security via the simple expedient of a secondary e-mail address for password recents means this is getting baked into the system and hard to unwind later.
to see what I mean look at the silly "application specific password" kludge Google introduced to let you collect e-mail bypassing two-factor ID, and password storage vulnerabilities. nuts.
it should be baked in that all sites that use 2-factor also allow (or require) a 2nd address for all
Re: (Score:2)
Except that the remote wipe has itself proven dangerous enough that some people are (reluctantly) disabling it so they don't get screwed by someone that has the last 4 digits of their CC.
Re: (Score:2)
This does not allow the stranger to do anything but make a call or take a photo. Why would you think it does? The phone lock does just fine for securing the phone, and the ridiculous hoops you expect people to jump through instead would be harmful to the user experience while not increasing security at all. In short, your idea is terrible.
Re: (Score:2)
Re: (Score:1)
Have you looked at sneakemail.com?
Well, arguably, sneaker mail is the most secure. Only the person I hand it to gets it.
Re: (Score:1)
Car analogy (Score:2)
Ahhh ... (Score:4)
Security by incompetence.
No thanks, Pay Pal. You're not a bank, and apparently terrible at security. So you're not trustworthy.
Client side enforcement of two factor authentication may give the illusion of security, but it's anything but.
This is either lazy/incompetent programmers, or idiot managers.
Re: (Score:3)
When they added complexity requirements, I used Tamper to change my password to something they wouldn't allow. It worked; then they fixed the hole and forced me to change the password 3 weeks later.
Re: (Score:2)
Pretty easy:
Convert request password variable to hash
Check password hash agains't DB
If success, check request password variable against current standard password strength rules.
If fails, expire the password and force password reset prior to login.
No need to store the password, just have to expire it on the next login if there is trouble.
Re: (Score:2)
Easy. For changing your password, at least, passwords are transmitted to them in cleartext and hashed server-side. Hashing passwords is done before storing the password, not before transmitting it.
Re: (Score:2)
Supposing PayPal takes full financial responsibility, why should you care so much? As it is in their best interest to do so, let's see what how they follow through.
Re:Ahhh ... (Score:4, Interesting)
Yeaaahh, that's the issue: they don't.
They're not a "bank" in legal speak so they do not provide the type of protection that banks usually provide. Neither are they backed by the government guarantees. That's why they're able to randomly freeze accounts, too, if their algorithms suspect things.
Re:Ahhh ... (Score:5, Interesting)
Because if they were regulated as a bank, they would operate under specific rules.
At present, they operate under "whatever the hell we want to do", and can basically do all sorts of crap a bank wouldn't be able to -- like seizing your money.
I place precisely zero trust in PayPal, and never have. Precisely because their dispute resolution process is non-existent, and made up and enforced entirely by them.
You can feel free to do whatever the heck you like. Me, I won't go anywhere near them.
Re: (Score:2, Informative)
You're either a fool or a liar. I've had funds frozen for months by PayPal with no explanation (eventually released with no apology from them), and I've also disputed recurring PayPal charges stemming from a shit VPS provider [vpstree.com] who had completely ignored several of my attempts to cancel services. In the latter case, PayPal decided to rule in the shit provider's favor anyhow. I walked away from PayPal permanently after finally getting the last of my money out of that account (again, several months later, and I
Re: (Score:1)
Wow, I got modded "flamebait" for posting factual information. PayPal employees must be scrambling to man their sockpuppet accounts tonight. That's a shame; perhaps treating their customer base with respect and decency might be a better use of their time. I somehow doubt the downmod has anything to do with VPS Tree (the shit VPS provider) though, since they can't even be bothered to maintain a page for their About Us [vpstree.com] link these days.
Re: (Score:2)
Seriously, this post should be modded up as informative. Thanks for taking the time to write it. It was wrong to be down-modded so. People might disagree with you, but you're certainly not an anonymous coward!
Re: (Score:1)
You're not a bank, and apparently terrible at security.
I've heard a lot of actual banks fail at online security, too.
Re: (Score:3)
I was just using https://www.ssllabs.com/ [ssllabs.com] to check out some financial sites:
amhfcu.org : F, supports insecure SSL 2.0
tdbank.com - A-
republictt.com/ - not the local bank.. apparently uses java.. .ugh..
republicbank.com - powered/provided by intuit - A-
sjfcu.online-cu.com - B - due to not supporting TLS 1.2. (used by likely a few cu)
bankofamerica.com - inconsistent - B, A-
wellsfargo.com - B - due to not supporting TLS 1.2
paypal.com - A- uses mixed content on home page.. really?
secure.ally.com - B - TLS 1.2 c
Re: (Score:2)
I can tell you for a fact, a free Class 1 StartSSL certificate can achieve an A+ rating from ssllabs.com when/if the technical server configuration is correct, because I saw it happen just this week on a server somewhere. StartSSL seems to make a profit by allowing newbies a free, documented (but otherwise 'supported' to what extent I didn't test at all...) learning process and having to pay higher than normal revocation fees to get everything functional and correctly setup. I made this mistake once myself,
Re: (Score:3)
Your point that they're not a bank appears to be completely irrelevent to the discussion.
Re: (Score:1)
1. PayPal is a Bank in Europe
2. why on earth would anyone install some PayPal app on a device that is used for two factor authentification - effectively making it a single factor authentification again
Re: (Score:2)
Why do you think banks are trustworthy.. or good at security?
Main website too (Score:2)
If you have a very little bit of information, it's pretty easy to get around it on the regular website too, but I suppose it's better than nothing...
Rookie mistake (Score:4, Interesting)
PayPal only enforces the two-factor requirement on the client
Many rookie developers just take the easy way and think that they can simply validate data client side. Never trust the client (even if you wrote it), the minute it is out there, someone can tamper with it.
I see this kind of mistakes coming from startups, or the little indie guy making his web site, or the new hire with little experience. For a seasoned tech company like PayPal this is an epic fail. Even if they had a rookie do this app, they need a senior programmer to do a code review, and if they did, then they need to replace him.
Embarrassing, and inexcusable.
Re: (Score:2)
Many ostensibly senior developers do this too.
I am always tempted to discourage client-side validation, at least in the initial phase of any implementation. Prove to me that the server-side is locked down tightly first... then we'll worry about giving the client instant-feedback. Hell, don't even assume that the values you've provided in your hidden fields, drop-down lists, and radio buttons are the ones which will make it to the server.
Re: (Score:2)
No fucking kidding. I wouldn't trust the client when I did FUCKING HOBBY GAME PROGRAMMING in my spare weekend time.
And that was to check that someone's magic sword wasn't bothering other players.
Fuckin' hacks.
Re: (Score:2)
I did some web stuff in the year 2000, back when PayPal was nothing but a Palm Pilot app. Even back then, as the rules were still being written (Javascript was relatively new), you "program convenince on the client, validate everything no matter on the server".
Seems they never learned that.
Don't worry. Everything is fine now. (Score:5, Funny)
The attack worked simply by intercepting a server response and toggling a flag (2fa_enabled) from true to false. After being alerted, PayPal added a workaround to limit the scope of the hole.
That's nice, but is adding a new flag called "2fa_really_enabled" to prevent any exploits of the original hole from working really the best way to deal with this?
lol (Score:1)
Security Gate at PayPal's headquarters (Score:5, Funny)
RFC 6238 or GTFO (Score:2)
This is part of why I don't bother to support half-assed roll-your-own 2FA systems like PayPal's, or stupid SMS-based schemes like Apple's. If you want to offer 2FA, offer me RFC 6238 so I can handle all my 2FA accounts in one convenient app and I know you didn't invent it yourself.
Mind you, I guess PayPal's programmers would have just implemented RFC 6238 client side and sent an extra parameter to say I'd got the code right.
I'm 100% immune. (Score:2)
The fucking thing hasn't ever worked for me, not once, not ever. Always blaming the server side. Win!
Not the first time... (Score:2)
Not the first time this has happened. PayPal are clowns.
In 2009 [grc.com] (ctrl-f for "bypass the use").
In 2011 [grc.com] (ctrl-f for "don't have your football"), where they allowed use of common-knowledge as a fallback if you didn't have your 'football'.