PayPal's Two-Factor Authentication Can Be Bypassed Using eBay Bug

About six weeks ago, a hole in Paypal's two factor authentication and their mobile client was discovered. hypnosec (2231454) wrote in with news of another trivial way to bypass Paypal's two-factor authentication. A bug in a feature for eBay integration allows passing a GET parameter to completely bypass two-factor authentication, and you don't even need to be coming from eBay to use it. You still need the password, but additional protection is lost. From the article: eBay, in conjunction with Paypal, provide a service as to where you can link your eBay account to your Paypal account, and when you sell something on eBay, the fees automatically come out of your Paypal account. ... When you are redirected to the login page, the URL contains "=_integrated-registration." ... Once you're actually logged in, a cookie is set with your details, and you're redirected to a page to confirm the details of the process. And this is where the exploit lays. Now just load http://www.paypal.com/ , and you are logged in, and don't need to re-enter your login. So, the actual bug itself is that the "=_integrated-registration" function does not check for a 2FA code, despite logging you into Paypal. You could repeat the process using the same "=_integrated-registration" page unlimited times.

Re:unable to replicate findings.

[InfiniteBlaze]

The hole was found six weeks ago. If they didn't fix it within that time frame, we'd have a serious problem on our hands. http://it.slashdot.org/story/1...

Re:No worries

[Wycliffe]

Same here. I've had multiple disputes on paypal and they all were decided in my favor.
My dad had several thousand dollars stolen from his account and paypal gave him all his money back.
I never leave money in my account so there is really nothing they can seize from me and their
arbitration leaves an extra layer of protection against fraud.

Re:No worries

[roman_mir]

I'll see your story and raise you mine. I bought a video card on eBay back in December, paid 1200 for it and waited for it to arrive to a pick up centre, but the seller used a wrong name on the package and so the package was returned. From POV of eBay the shipping was 'completed' because the tracking number was there, showing 'delivered', but the address of the delivery was back in New York, not my destination address. Then the 'seller' supposedly sent the package to me the second time, but this time wouldn't provide the tracking number, and the package never arrived. Talking to eBay appeared to be fruitless (as a side note, the 'seller' put the same item back for sale, and since she doesn't normally sell computer parts, I assume it was the same video card that was put for sale once again). I contacted eBay and PayPal, nothing. Eventually I worked it out through my credit card, they pressed on PayPal I guess, I got the money back but not thanks to eBay or PayPal. AFAIC (and I told them that) they continued working with somebody selling stolen property, but it didn't matter to them.