As on the blog-post researcher says that the vulnerability is not fully patched in the Paypal's system, but Paypal team is working to fixed it permanently,.
Two Factor Authentication, also known as 2FA, two step verification or TFA (as an acronym), is an extra layer of security that is known as "multi factor authentication" that requires not only a password and username but also something that only, and only, that user has on them, i.e. a piece of information only they should know or have immediately to hand - such as a physical token.
Impact of the Vulnerability
Researcher added, the vulnerability exist in the Paypal mobile application and the web interface is not affected by the bypass vulnerability.
With the 2FA bypass attacker can do every thing from the victims account, as like sends money to attackers account.
Researcher have developed a proof-of-concept exploit to leverage this lack of 2FA enforcement, interfacing with the PayPal API directly and effectively mimicking the PayPal mobile app as though it were accessing a non-2FA account. The exploit communicates with two separate PayPal API services — one to authenticate (only with primary credentials), and another to transfer money to a destination account.
The vulnerability lies primarily in the authentication flow for PayPal’s API web services. In particular, api.paypal.com, a REST-ful API which uses OAuth for authentication/authorization, does not directly enforce two-factor authentication requirements server-side when authenticating a user.
Researcher have used Burp tool to intercepted HTTP/HTTPS traffic between the PayPal mobile apps and remote PayPal web services to analyzed how the service responded to 2FA-enabled accounts versus non-2FA-enabled accounts.
On Analyzing researchers found a JSON dictionary that was returned containing some additional PayPal service URIs, various tokens (primarily OAuth-related), and some 2FA-related attributes.
As researcher was using Burp tools, they have used match-and-replace feature of tool to modify the some of the data, and rewrite the “2fa_enabled” value to “false”.
With the simple modification on data, the mobile clients would then proceed as normal, as there was no two-factor authentication enabled on account. Although the underlying vulnerability is present on the server-side, this tweak amounted to client-side “enforcement” of 2FA.
With that modification, attacker have successfully logged in to the victims account. But further more researcher have discovered that additional session identifier being returned in the JSON dictionary, as highlighted below.
Further more, researcher have stepped forward there attack to "Send Money", and for this have crafted a Python script exploit which exploited the vulnerability and leads to success in sending money from victims accounts.
POC: Demonstrate VIDEO
For the POC, researcher have also made a demonstrating Video of the Flaw
Till yet the Vulnerability is not fully fixed yet, but in a statement posted on its PayPal Forward Community page, PayPal's senior director of global initiatives, Anuj Naya, said that despite the vulnerability, "all PayPal accounts remain secure".
Header Image- Threatpost
Source/Other images- Duosecurity