A computer security researcher said it took him less than five minutes to bypass PayPal’s two-factor authentication, a feature intended to provide an extra layer of security in addition to a password.
Researcher Henry Hoggard said he recently needed to make a payment but was in a hotel that didn’t have mobile phone reception, and so was unable to receive PayPal’s authentication token, which is ordinarily sent via text message.
The technique he uncovered involved requesting another two-factor option that allows users to answer security questions.
Hoggard found that he could enter any response for the questions, then modify the data sent by his browser to PayPal to make the site believe he had answered correctly.
The hack involved removing the “securityQuestion0” and “securityQuestion1” strings from the browser post data, Hoggard said.
He reported the issue to PayPal in early October and it was reported as fixed on Friday, he said. He received payment for the flaw through PayPal’s bug bounty scheme.
The bug would have allowed anyone who knew a user’s password to make payments using their account – exactly the situation two-factor authentication is supposed to prevent.
A number of recent password breaches affecting millions of users of major websites, including LinkedIn and Yahoo, have led to further hacks where the same username and password was used on other websites.
Most major websites now offer two-factor authentication option, including banking and finance sites, but also messaging services such as Instagram and Snapchat.
Are you a security pro? Try our quiz!
British regulator invites feedback on major partnerships Microsoft and Amazon have struck with smaller AI…
Another 20 staff have been fired by Google over Israel protest and their “completely unacceptable…
Censorship row brewing down under, after the Australian Prime Minister calls Elon Musk an 'arrogant…
Financial regulator asks New York judge to impose $5.3 billion in fines against Terraform Labs…
Lightweight artificial intelligence model launched this week by Microsoft, offering more cost-effective option for Azure…
ByteDance protest falls on deaf ears, as Senate passes TikTok ban or divest bill, with…