Slashdot Mirror

← Back to Stories (view on slashdot.org)

PayPal's Two-Factor Authentication Can Be Bypassed Using eBay Bug

Posted by Unknown on from the get-your-60day-exploits dept.

About six weeks ago, a hole in Paypal's two factor authentication and their mobile client was discovered. hypnosec (2231454) wrote in with news of another trivial way to bypass Paypal's two-factor authentication. A bug in a feature for eBay integration allows passing a GET parameter to completely bypass two-factor authentication, and you don't even need to be coming from eBay to use it. You still need the password, but additional protection is lost. From the article: eBay, in conjunction with Paypal, provide a service as to where you can link your eBay account to your Paypal account, and when you sell something on eBay, the fees automatically come out of your Paypal account. ... When you are redirected to the login page, the URL contains "=_integrated-registration." ... Once you're actually logged in, a cookie is set with your details, and you're redirected to a page to confirm the details of the process. And this is where the exploit lays. Now just load http://www.paypal.com/ , and you are logged in, and don't need to re-enter your login. So, the actual bug itself is that the "=_integrated-registration" function does not check for a 2FA code, despite logging you into Paypal. You could repeat the process using the same "=_integrated-registration" page unlimited times.

3 of 33 comments (clear)

  1. unable to replicate findings. by Kenja · · Score: 4, Informative

    Perhaps I'm not understanding... but as my PayPal and eBay accounts have different passwords and i have two factor authentication setup using a DigiPass 5 rotating cypher key, I am unable to replicate what is being reported. No mater what, I am prompted for my DigiPass token key and password.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
  2. Re:No worries by jcgam69 · · Score: 5, Informative

    I see comments like this all the time, but in my own personal experience paypal protected me as a seller from a fraudulent buyer who tried to steal several hundred dollars. Although the process was not quick, in the end Paypal discovered the truth, and I'll continue to use and recommend the service.

  3. PIN before pumping fuel by tepples · · Score: 4, Informative

    That's like allowing a gas station to change the amount to transfer after you entered your PIN

    Except they already do that. The cardholder slides the card and puts in a PIN before pumping the fuel, at which time the pump doesn't know how much fuel the cardholder will pump. So the pump places an "authorization" for $100 or so, which lowers the cardholder's credit limit by $100 for the rest of the day, and turns on for up to $100 of fuel. Later, the pump performs a "capture" that releases the "authorization" and makes the payment final.