Researchers have discovered that the two factorauthentication of PayPal trivial it was to bypass. Two factor authentication is intended to make accounts more secure, but the variant of PayPal offered, in practice, hardly any additional protection.
Incidentally, an attacker must still have the user name and password of a PayPal user. That would be possibly with a keylogger can be intercepted, then the additional protection of two-factor authentication is gone. Then, an attacker can on his own computer as a counterfeit loginpoging set up with the extra loginbescherming is bypassed.
The researchers used a own Python script that the vulnerability will be abused, so the authentication could be bypassed and a rogue transaction could be set up. That was necessary because the mobile PayPal apps still not support for accounts with two-factor-authentication: the variable ‘2fa_enabled” is meant to be a message to give to a user that the additional loginbescherming enabled, you still want to log in.
PayPal is at the end of march informed of the vulnerability, but has just this past week a temporary workaround set up the problem makes it impossible. A final solution is even until the end of July expected.
Comments
(43)