Researchers Bypass PayPal’s Two-Factor Authentication

Researchers Bypass PayPal’s Two-Factor Authentication, hack paypal, Bypass paypal security, news of Paypal Two-Factor Authentication, Two-Factor Authentication hacked, researcher bypassed Two-Factor Authentication,
PayPal’s Two-Factor Authentication, PayPal security bypassed, paypal hacked
Researcher of advanced research team "Duo Security" have discovered the way to bypass Paypal's two-factor authentication (2FA). The vulnerability lies primarily in the authentication flow for the PayPal API web service ( — an API used by PayPal’s official mobile applications, as well as numerous third-party merchants and apps — but also partially in the official mobile apps themselves.

As on the blog-post researcher says that the vulnerability is not fully patched in the Paypal's system, but Paypal team is working to fixed it permanently,.

What is Two-factor Authentication
Two Factor Authentication, also known as 2FA, two step verification or TFA (as an acronym), is an extra layer of security that is known as "multi factor authentication" that requires not only a password and username but also something that only, and only, that user has on them, i.e. a piece of information only they should know or have immediately to hand - such as a physical token.

Impact of the Vulnerability
Researcher added, the vulnerability exist in the Paypal mobile application and the web interface is not affected by the bypass vulnerability.

With the 2FA bypass attacker can do every thing from the victims account, as like sends money to attackers account.

Researcher have developed a proof-of-concept exploit to leverage this lack of 2FA enforcement, interfacing with the PayPal API directly and effectively mimicking the PayPal mobile app as though it were accessing a non-2FA account. The exploit communicates with two separate PayPal API services — one to authenticate (only with primary credentials), and another to transfer money to a destination account.

Technical details
The vulnerability lies primarily in the authentication flow for PayPal’s API web services. In particular,, a REST-ful API which uses OAuth for authentication/authorization, does not directly enforce two-factor authentication requirements server-side when authenticating a user.

Researcher have used Burp tool to intercepted  HTTP/HTTPS traffic between the PayPal mobile apps and remote PayPal web services to analyzed how the service responded to 2FA-enabled accounts versus non-2FA-enabled accounts.

On Analyzing researchers found a JSON dictionary that was returned containing some additional PayPal service URIs, various tokens (primarily OAuth-related), and some 2FA-related attributes.

Note the red highlight around the “2fa_enabled” attribute. As it turned out, the value of this attribute being set to “true” caused the mobile application to return to the login screen and display an error message, indicating that 2FA was not currently supported.  This error message was observed on both Android and iOS Paypal Apps.

As researcher was using Burp tools, they have used match-and-replace feature of tool to modify the some of the data, and rewrite the “2fa_enabled” value to “false”. 

With the simple modification on data, the mobile clients would then proceed as normal, as there was no two-factor authentication enabled on account. Although the underlying vulnerability is present on the server-side, this tweak amounted to client-side “enforcement” of 2FA.

With that modification, attacker have successfully logged in to the victims account. But further more researcher have discovered that additional session identifier being returned in the JSON dictionary, as highlighted below.

As it turned out, “session_token” is used for authorization, an otherwise (publicly) undocumented SOAP-based API that provides additional account-related functionality, including but not limited to sending money.

Further more, researcher have stepped forward there attack to "Send Money", and for this have crafted a Python script exploit which exploited the vulnerability and leads to success in sending money from victims accounts.

POC: Demonstrate VIDEO
For the POC, researcher have also made a demonstrating Video of the Flaw

 Click to Play Video

Till yet the Vulnerability is not fully fixed yet, but in a statement posted on its PayPal Forward Community page, PayPal's senior director of global initiatives, Anuj Naya, said that despite the vulnerability, "all PayPal accounts remain secure".

Header Image- Threatpost
Source/Other images- Duosecurity

Read Also
1 comment
  1. Unknown
    Yet another example of how using interpreted languages on your website will bite you in the nether regions.
    Python script? Really?
    All they need to do to make the website totally hackable, is to write a few PHP.pages to allow some SQL injection.
    C'mon PayPal, hire a few real programmers who know what a compiler is.