Security Key 2FA protection rendered almost completely useless
eBay-owned payments giant PayPal has pushed out a fix for a bug that would have allowed an attacker to easily get around its two-factor authentication Security Key.
Researchers said the vulnerability effectively made the protection layer useless, as exploits could either be carried out from a mobile device or using a specially- designed program.
The bug was initially discovered by entrepreneur Dan Saltman, who found that despite having two-factor enabled he could still login via the PayPal mobile app without having to enter the one-time code the Security Key requires to allow a user in.
The 2FA protection doesn’t actually work on mobile clients – a user is quickly logged in and then logged out again, with a notification telling them they can’t use the app as it doesn’t support the security feature.
But when Saltman, using flight mode, turned off connectivity quickly after being logged in, he found that if he turned the connectivity back on he remained signed in and able to make payments.
Saltman approached researchers at Duo Security, who found the issue was more serious and lay in the application programming interfaces (APIs) PayPal was using. Those APIs were sending session tokens to mobile clients before even asking for two-factor authentication.
Senior security researcher at Duo, Zach Lanier, created a quick program that replicated the mobile app and was able to swap out some code to tell PayPal servers the Security Key feature was not switched on for the user.
“We developed a proof-of-concept exploit to leverage this lack of 2FA enforcement, interfacing with the PayPal API directly and effectively mimicking the PayPal mobile app as though it were accessing a non-2FA account,” Lanier said in a blog post.
“The exploit communicates with two separate PayPal API services – one to authenticate (only with primary credentials), and another to transfer money to a destination account.
“Note that the standard browser-based PayPal web interface is not affected by the bypass. However, since an attacker can simply use the underlying API to gain full account access, this distinction is purely academic.”
PayPal has now stopped sending those session tokens from its API to mobile clients where 2FA is enabled. It is also planning a fuller fix in late July.
“As a precaution we have disabled the ability for customers who have selected 2FA to log in to their PayPal account on the PayPal mobile app and on certain other mobile apps until an identified fix can be implemented in the next few weeks,” a spokesperson said.
PayPal’s owner has had a bad year for security. eBay announced it was breached earlier this year, asking all users to change their passwords.
Are you a security pro? Try our quiz!