Researcher Breaches PayPal’s Two-Factor Authentication In Five Minutes

The surprisingly simple hack tricked PayPal into giving the researcher access to his own account

A computer security researcher said it took him less than five minutes to bypass PayPal’s two-factor authentication, a feature intended to provide an extra layer of security in addition to a password.

Researcher Henry Hoggard said he recently needed to make a payment but was in a hotel that didn’t have mobile phone reception, and so was unable to receive PayPal’s authentication token, which is ordinarily sent via text message.

Five-minute hack

PayPal - Shutterstock - © Gil C“Luckily for me PayPal’s (two-factor authentication) took less than five minutes to bypass,” he said in an advisory.

The technique he uncovered involved requesting another two-factor option that allows users to answer security questions.

Hoggard found that he could enter any response for the questions, then modify the data sent by his browser to PayPal to make the site believe he had answered correctly.

The hack involved removing the “securityQuestion0” and “securityQuestion1” strings from the browser post data, Hoggard said.

Password security fears

He reported the issue to PayPal in early October and it was reported as fixed on Friday, he said. He received payment for the flaw through PayPal’s bug bounty scheme.

The bug would have allowed anyone who knew a user’s password to make payments using their account – exactly the situation two-factor authentication is supposed to prevent.

A number of recent password breaches affecting millions of users of major websites, including LinkedIn and Yahoo, have led to further hacks where the same username and password was used on other websites.

Most major websites now offer two-factor authentication option, including banking and finance sites, but also messaging services such as Instagram and Snapchat.

Are you a security pro? Try our quiz!