You can now find Cyber Kendra on Google News!

Paypal Two-Factor Authentication bypassed - Teen hacker Claims

Teen hacker claims to Bypass Paypal security, Paypal Two-Factor Authentication bypassed, hacking paypal, security of paypal, 2FA of Paypal, security update of Paypal, Paypal security layer, Vulnerability report to Paypal team
Last in June, Researcher of advanced research team "Duo Security" have discovered the way to bypass Paypal's two-factor authentication (2FA), the vulnerability lies primarily in the authentication flow for the PayPal API web service ( And now once again a teen white hat hacker claim to found a way to bypass the Two-Factor Authentication of Paypal system.

A young teen Joshua Rogers from Melbourne, Australia, have claims to bypass the Two-Factor Authentication (2FA) system PayPal uses to protect user accounts. Rogers explain that the bypass process requires little more than spoofing a browser cookie set when users link their eBay and PayPal accounts.

He further explained that once the cookie—which is tied to a function, which PayPal identifies as "=_integrated-registration" is active in a user's browsing session, then the two-factor authentication of Paypal is bypassed. In simple words it means that Paypal didn't check for the 2FA code while logging in. 

This means if the attacker some how gained some of the login credentials then attack can also access to the Paypal account of the victim without entering the one-time passcode sent to the account holder's mobile phone. [Note- Both eBay's and Paypal account should be linked for this process]
In an ethical way, Rogers had reported the issue to Paypal security team on 5th June. But after two months with no response from Paypal team he makes it public
Once you're actually logged in, a cookie is set with your details, and you're redirected to a page to confirm the details of the process. And this is where the exploit lays. Now just load and you are logged in and don't need to re-enter your login.
So, the actual bug itself is that the "=_integrated-registration" function does not check for a 2FA code, despite logging you into PayPal.
You could repeat the process using the same "=_integrated-registration" page unlimited times. - he wrote
As the technique does requires a victim password, but the scenario show the flaw in the 2FA system of Paypal, which didn't ask for onetime passcode (OTP)  while logging into Paypal account.

For the Proof-of-concept Rogers has also provided a Video demonstration of the flaw. You can check the demonstration video right below.

1 comment

  1. Great post bro :o

    regards : Click Here Latest Tricks