Forgot your password?
typodupeerror
Bug Security

PayPal's Two-Factor Authentication Can Be Bypassed Using eBay Bug 33

Posted by Unknown Lamer
from the get-your-60day-exploits dept.
About six weeks ago, a hole in Paypal's two factor authentication and their mobile client was discovered. hypnosec (2231454) wrote in with news of another trivial way to bypass Paypal's two-factor authentication. A bug in a feature for eBay integration allows passing a GET parameter to completely bypass two-factor authentication, and you don't even need to be coming from eBay to use it. You still need the password, but additional protection is lost. From the article: eBay, in conjunction with Paypal, provide a service as to where you can link your eBay account to your Paypal account, and when you sell something on eBay, the fees automatically come out of your Paypal account. ... When you are redirected to the login page, the URL contains "=_integrated-registration." ... Once you're actually logged in, a cookie is set with your details, and you're redirected to a page to confirm the details of the process. And this is where the exploit lays. Now just load http://www.paypal.com/ , and you are logged in, and don't need to re-enter your login. So, the actual bug itself is that the "=_integrated-registration" function does not check for a 2FA code, despite logging you into Paypal. You could repeat the process using the same "=_integrated-registration" page unlimited times.
This discussion has been archived. No new comments can be posted.

PayPal's Two-Factor Authentication Can Be Bypassed Using eBay Bug

Comments Filter:
  • by Kenja (541830) on Tuesday August 05, 2014 @10:37AM (#47606965)
    Perhaps I'm not understanding... but as my PayPal and eBay accounts have different passwords and i have two factor authentication setup using a DigiPass 5 rotating cypher key, I am unable to replicate what is being reported. No mater what, I am prompted for my DigiPass token key and password.
    • by cciechad (602504)
      I saw this yesterday. It hasn't always been like this. It let me pay for an eBay transaction yesterday without asking for my OTP for Paypal.
    • Re: (Score:1, Interesting)

      The hole was found six weeks ago. If they didn't fix it within that time frame, we'd have a serious problem on our hands. http://it.slashdot.org/story/1... [slashdot.org]
    • If you log in here: https://www.paypal.com/cgi-bin... [paypal.com] (Make sure you check it's https://www.paypal.com/ [paypal.com] !! ) Does it work? The eBay account that is used in the 'exploit' does NOT have to be associated with the Paypal account. Any eBay account can be used. You can even create a new one, with a completly random email.
    • Perhaps I'm not understanding... but as my PayPal and eBay accounts have different passwords and i have two factor authentication setup using a DigiPass 5 rotating cypher key, I am unable to replicate what is being reported. No mater what, I am prompted for my DigiPass token key and password.

      I'm not sure I understand the hole either... but it doesn't matter. I can't remember a time period when Paypals 2 factor authentication hasn't been broken. Authentication isn't that hard but paypal manages to have so many loopholes in their authentication process that we hear about a new one every few weeks. Given that, I just assume the service has quite a few, as of yet, undiscovered holes. I don't store money there, and I have it linked to its own special account in my bank so I know exactly whats coming

      • by tepples (727027)

        Authentication isn't that hard

        It is if you don't want to have to pay for dedicated second factor hardware or pay a cellular carrier for SMS or data service every time you authenticate.

    • by Guppy06 (410832)

      Are the accounts "linked?"

  • From now on, I'm paying for everything with doubloons.
  • The article says he won' be eligible for $2500-$3000. It's hardly worth it. Getting worldwide attention, and a good reputation for finding a major security vulnerability in a major website is worth a LOT more than $3000, especially when you've waited 60 days after disclosing it.

    I'd say the bounty should be about 10x for major problems like this that are easily reproducible, and have a high impact.

  • That's like allowing a gas station to change the amount to transfer after you entered your PIN or just like chaning the amount in a checke after you received it.

    Anyway, PayPal thinks this is a feature: http://seclists.org/fulldisclosure/2014/Jul/86

    • by tepples (727027) <tepples AT gmail DOT com> on Tuesday August 05, 2014 @01:56PM (#47608311) Homepage Journal

      That's like allowing a gas station to change the amount to transfer after you entered your PIN

      Except they already do that. The cardholder slides the card and puts in a PIN before pumping the fuel, at which time the pump doesn't know how much fuel the cardholder will pump. So the pump places an "authorization" for $100 or so, which lowers the cardholder's credit limit by $100 for the rest of the day, and turns on for up to $100 of fuel. Later, the pump performs a "capture" that releases the "authorization" and makes the payment final.

If money can't buy happiness, I guess you'll just have to rent it.

Working...