Australian finds way to bypass PayPal two-factor authentication

By on
Australian finds way to bypass PayPal two-factor authentication

PayPal account security is at risk again.

Australian researcher Joshua Rogers has discovered a method for getting past PayPal's two-factor authentication, which is possible due to an issue in the way that PayPal accounts integrate with eBay accounts.

The exploit requires primary credentials, Rogers told in a Tuesday email correspondence, explaining that a successful bypass could enable an attacker to log on and do anything a regular user can do, including send money, as well as change settings such as the account password.

A PayPal spokesperson told in a Tuesday email correspondence that the company is aware of the issue, which is limited to a small amount of integrations with Adaptive Payments, and is working on getting it addressed as quickly as possible.

Rogers said PayPal told him something similar on 5 June when he notified the company of the bypass exploit, but apparently the problem was never fixed, so he decided to disclose the issue in a Monday post.

When setting up the integration feature from any eBay account, Rogers wrote, users are taken to a PayPal login page with a URL that contains “=_integrated-registration,” which a Google search shows is used solely for PayPal account and eBay account integration.

“Once you're actually logged in, a cookie is set with your details, and you're redirected to a page to confirm the details of the process,” Rogers wrote. “And this is where the exploit lays. Now just load, and you are logged in, and don't need to re-enter your login.”

Rogers added, “So, the actual bug itself is that the "=_integrated-registration" function does not check for a [two-factor authentication] code, despite logging you into PayPal.”

The reason it works is because PayPal assumes that by logging in through eBay, the account must belong to the same person, Rogers said, explaining that one reason for the problem might just be that developers forgot to update the code.  

“I consider it a significant vulnerability,” Rogers said, adding that implementing a fix should be simple. “If you think of [two-factor authentication] as a second password, it's like making the second password completely obsolete.”

This article originally appeared at

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition

Most Read Articles

You must be a registered member of CRN to post a comment.
| Register


Have you noticed any of the recent public cloud outages?
Yes, it's caused a lot of headaches
Yes, but it's only a minor inconvenience
Yes, but it hasn't had any impact on business
What outages?
View poll archive

Log In

Username / Email:
  |  Forgot your password?