Trivial Bypass of PayPal Two-Factor Authentication On Mobile Devices 47
chicksdaddy (814965) writes "According to DUO, PayPal's mobile app doesn't yet support Security Key and displays an error message to users with the feature enabled when they try to log in to their PayPal account from a mobile device, terminating their session automatically. However, researchers at DUO noticed that the PayPal iOS application would briefly display a user's account information and transaction history prior to displaying that error message and logging them out. ... The DUO researchers investigated: intercepting and analyzing the Web transaction between the PayPal mobile application and PayPal's back end servers and scrutinizing how sessions for two-factor-enabled accounts versus non-two-factor-enabled accounts were handled. They discovered that the API uses the OAuth technology for user authentication and authorization, but that PayPal only enforces the two-factor requirement on the client — not on the server."
The attack worked simply by intercepting a server response and toggling a flag (2fa_enabled) from true to false. After being alerted, PayPal added a workaround to limit the scope of the hole.
Update: 06/26 00:42 GMT by T : (Get the story straight from the source: Here's the original report from DUO.)
Re:Ahhh ... (Score:2, Informative)
You're either a fool or a liar. I've had funds frozen for months by PayPal with no explanation (eventually released with no apology from them), and I've also disputed recurring PayPal charges stemming from a shit VPS provider [vpstree.com] who had completely ignored several of my attempts to cancel services. In the latter case, PayPal decided to rule in the shit provider's favor anyhow. I walked away from PayPal permanently after finally getting the last of my money out of that account (again, several months later, and I still never got any of the fraudulent VPS fees refunded), and I will never transact business with them again. In fact, since January of 2012 I've continued to receive an email entitled "First Invoice Overdue Notice" from the shit VPS provider every month. Those emails serve as a nice reminder to encourage folks to avoid PayPal at all costs; people continue to use them out of sheer stupidity.
Paypal Policy - A License To Steal Your Money [hubpages.com]
Funds Stolen By PayPal [paypalwarning.com]
PayPal - Beware of PayPal, 6000 USD seized by Paypal [prestashop.com]
180-Day Hold Sparks PayPal Suit [lawyersand...ements.com]
Paypal Can and Will seize funds...Atwood Knives [edcforums.com]
Another PayPal victim $4000.00 seized from my business account. [paypalsucks.com]
PayPal Horror Stories [screw-paypal.com]
If you get bored, try these as well:
Exhibit A [lmgtfy.com]
Exhibit B [lmgtfy.com]
So, which is it? Are you a liar, or are you a fool?