![]() This sort of request (to the OAuth endpoint) was consistent with developer documentation on PayPal’s site, so it didn’t stand out as anything unusual. The POST body contains, among other things, primary credentials (username & password) and some identifying data about the device. The screenshot below shows a POST request to an OAuth endpoint on. In particular, we observed the authentication process, paying close attention to how the service responded to 2FA-enabled accounts versus non-2FA-enabled accounts. Using Burp, we intercepted and analyzed HTTP/HTTPS traffic between the PayPal mobile apps and remote PayPal web services. Based on this behavior, we decided to investigate what was happening communications-wise on the wire. In particular,, a REST-ful API which uses OAuth for authentication/authorization, does not directly enforce two-factor authentication requirements server-side when authenticating a user.Īs demonstrated in the video, the PayPal iOS application exhibited suspicious behavior by briefly showing the user’s account information and transaction history prior to forcefully logging them out. The vulnerability lies primarily in the authentication flow for PayPal’s API web services. ![]() However, since an attacker can simply use the underlying API to gain full account access, this distinction is purely academic.īelow is a brief video that that discusses and demonstrates the PayPal two-factor bypass:ĭuo Labs - PayPal Hack (Long) V5 Technical Details Note that the standard browser-based PayPal web interface is not affected by the bypass. The exploit communicates with two separate PayPal API services - one to authenticate (only with primary credentials), and another to transfer money to a destination account. We developed a proof-of-concept exploit to leverage this lack of 2FA enforcement, interfacing with the PayPal API directly and effectively mimicking the PayPal mobile app as though it were accessing a non-2FA account. While PayPal’s mobile apps do not currently support 2FA-enabled accounts, it is possible to effectively trick the PayPal mobile applications into ignoring the 2FA flag on the account, subsequently allowing the an attacker to log in without requiring secondary authentication. The protection offered by the two-factor Security Key mechanism can be bypassed and essentially nullified. ImpactĪn attacker only needs a victim’s PayPal username and password in order to access a two-factor protected account and send money. In light of the vulnerability reporting timeline and the trivial discoverability of the vulnerability, we have elected to publicly disclose this issue, so that users can be informed to the risks to their PayPal account security.ĭuo would also like to thank Dan Saltman from Everyda圜arry for his assistance in the initial reporting of this issue. The vulnerability lies primarily in the authentication flow for the PayPal API web service () - an API used by PayPal’s official mobile applications, as well as numerous third-party merchants and apps - but also partially in the official mobile apps themselves.Īs of the date of this post (June 25), PayPal has put a workaround in place to limit the impact of the vulnerability, and is actively working on a permanent fix. Security Key mechanism, in PayPal nomenclature). Researchers at Duo Labs, the advanced research team at Duo Security, discovered that it is possible to bypass PayPal’s two-factor authentication (the Duo labs JZach Lanier Duo Security Researchers Uncover Bypass of PayPal’s Two-Factor Authentication
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |