A computer security researcher said it took him less than five minutes to bypass PayPal’s two-factor authentication, a feature intended to provide an extra layer of security in addition to a password.
Researcher Henry Hoggard said he recently needed to make a payment but was in a hotel that didn’t have mobile phone reception, and so was unable to receive PayPal’s authentication token, which is ordinarily sent via text message.
The technique he uncovered involved requesting another two-factor option that allows users to answer security questions.
Hoggard found that he could enter any response for the questions, then modify the data sent by his browser to PayPal to make the site believe he had answered correctly.
The hack involved removing the “securityQuestion0” and “securityQuestion1” strings from the browser post data, Hoggard said.
He reported the issue to PayPal in early October and it was reported as fixed on Friday, he said. He received payment for the flaw through PayPal’s bug bounty scheme.
The bug would have allowed anyone who knew a user’s password to make payments using their account – exactly the situation two-factor authentication is supposed to prevent.
A number of recent password breaches affecting millions of users of major websites, including LinkedIn and Yahoo, have led to further hacks where the same username and password was used on other websites.
Most major websites now offer two-factor authentication option, including banking and finance sites, but also messaging services such as Instagram and Snapchat.
Are you a security pro? Try our quiz!
German foreign minister warns Russia will face consequences for “absolutely intolerable” cyberattack on ruling party,…
Google is reportedly laying off at least 200 staff from its “Core” organisation, including key…
Investor appeasement? Apple unveils huge $110 billion share buyback program, as sales of iPhone decline…
Tesla retreats from pioneering gigacasting manufacturing process, amid cost cutting and challenges at EV giant
No skynet please. After the US, UK and France pledge human only control of nuclear…
Microsoft's AI investments continue in south east Asia, after investments in Japan, Malaysia, Indonesia, as…