Categories: Security

Researcher Breaches PayPal’s Two-Factor Authentication In Five Minutes

A computer security researcher said it took him less than five minutes to bypass PayPal’s two-factor authentication, a feature intended to provide an extra layer of security in addition to a password.

Researcher Henry Hoggard said he recently needed to make a payment but was in a hotel that didn’t have mobile phone reception, and so was unable to receive PayPal’s authentication token, which is ordinarily sent via text message.

Five-minute hack

“Luckily for me PayPal’s (two-factor authentication) took less than five minutes to bypass,” he said in an advisory.

The technique he uncovered involved requesting another two-factor option that allows users to answer security questions.

Hoggard found that he could enter any response for the questions, then modify the data sent by his browser to PayPal to make the site believe he had answered correctly.

The hack involved removing the “securityQuestion0” and “securityQuestion1” strings from the browser post data, Hoggard said.

Password security fears

He reported the issue to PayPal in early October and it was reported as fixed on Friday, he said. He received payment for the flaw through PayPal’s bug bounty scheme.

The bug would have allowed anyone who knew a user’s password to make payments using their account – exactly the situation two-factor authentication is supposed to prevent.

A number of recent password breaches affecting millions of users of major websites, including LinkedIn and Yahoo, have led to further hacks where the same username and password was used on other websites.

Most major websites now offer two-factor authentication option, including banking and finance sites, but also messaging services such as Instagram and Snapchat.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Supreme Court Permits Nvidia Investor Lawsuit To Proceed

Setback for Nvidia after Supreme Court rules class-action lawsuit against AI chip giant for misleading…

14 hours ago

TikTok Files Challenge Against Canadian Shutdown Order

Notice filed in federal court to challenge Canadian government order to shutdown TikTok's Canada's operations

16 hours ago

Apple Intelligence Launches In UK, Siri Integrated With ChatGPT

Users of the iPhone 15 and later in the UK can now experience Apple Intelligence,…

17 hours ago

US Awards Micron $6.1 Billion From US Chips Act

Biden administration awards $6.1 billion subsidy from US Chips Act for Micron's Idaho and and…

19 hours ago

California Mulls Health Warnings For Social Media Sites

Bill (if passed) could see California become the first US state to require mental health…

22 hours ago

GM Kills Cruise Robotaxi Business, After Funding Is Pulled

General Motors kills Cruise robotaxi ambitions, after halting funding for the loss-making autonomous vehicle unit

23 hours ago