By Darren Pauli, 26 Jun 201
PayPal's second factor authentication (2FA) protection can be mitigated through mobile device interfaces that allow fraudsters to steal funds with a victim's username and password, Duo Security researchers say.
The bypass, crimped but not eradicated by client side patches, existed because the PayPal iOS and Android mobile app infrastructure could be tricked into ignoring the existence of 2FA controls in place on users accounts.
The Register/ full read here/ http://www.theregister.co.uk/2014/06/26/paypal_2fa_mobe_flaw_chills_warm_and_fuzzy_security_feeling/
Userlevel 7
+52
A vulnerability in the authentication flow of the PayPal API web services allowed access to an account protected by PayPal’s two-factor authentication (2FA) mechanism.
2FA is a supplementary security measure which requires entering an additional code that is generally sent to the owner’s email address or mobile phone as a short text message.
PayPal mobile apps cannot be used to access accounts that have 2FA enabled, but it seems that the log in procedure is still carried out in lack of the supplementary security code and, when the signal that the log in is protected by the additional code returns from the server, access to said account is blocked.
On iOS, by enabling the Airplane Mode before the 2FA signal returns from the server and then re-enabling connectivity of the device, it is possible to gain access to an account protected by the double security measure.
According to Duo Security researcher Zach Lanier, the flaw was possible because during the authorization process of 2FA-enabled accounts, a session token was provided after logging in with the username and password; this allowed various account-related actions to be performed, including money transfers.
The discovery was made by Dan Saltman, a developer who, at the end of March, reported the issue to PayPal via the Bug Bounty program, but received an automated response only after about a month, letting him know that the investigation was ongoing. Meanwhile, he contacted Duo Security for validation of the flaw.
Duo Security confirmed the issue. Upon further investigation, they reproduced the 2FA bypass with mobile apps for the Android operating system. The security firm also contacted PayPal on April 23 and received a reply two days later, informing that the case was still under investigation.
After an email exchange between the security firm, which informed on June 9 of its public disclosure intent on June 25, and PayPal (that extended over the course of a month), the latter implemented a temporary fix for the problem.
Full Article
2FA is a supplementary security measure which requires entering an additional code that is generally sent to the owner’s email address or mobile phone as a short text message.
PayPal mobile apps cannot be used to access accounts that have 2FA enabled, but it seems that the log in procedure is still carried out in lack of the supplementary security code and, when the signal that the log in is protected by the additional code returns from the server, access to said account is blocked.
On iOS, by enabling the Airplane Mode before the 2FA signal returns from the server and then re-enabling connectivity of the device, it is possible to gain access to an account protected by the double security measure.
According to Duo Security researcher Zach Lanier, the flaw was possible because during the authorization process of 2FA-enabled accounts, a session token was provided after logging in with the username and password; this allowed various account-related actions to be performed, including money transfers.
The discovery was made by Dan Saltman, a developer who, at the end of March, reported the issue to PayPal via the Bug Bounty program, but received an automated response only after about a month, letting him know that the investigation was ongoing. Meanwhile, he contacted Duo Security for validation of the flaw.
Duo Security confirmed the issue. Upon further investigation, they reproduced the 2FA bypass with mobile apps for the Android operating system. The security firm also contacted PayPal on April 23 and received a reply two days later, informing that the case was still under investigation.
After an email exchange between the security firm, which informed on June 9 of its public disclosure intent on June 25, and PayPal (that extended over the course of a month), the latter implemented a temporary fix for the problem.
Full Article
Userlevel 7
Duplicate Article. This might be better placed as an additional information post/reply here.
Reply
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.