Recent security issues at PayPal have been affecting the platform. A recent report by the research team at CyberNews mentioned a list of security issues that were uncovered during their investigation. The vulnerabilities in question included a few interesting and crucial cases where they managed to overcome security. That wasn't the first-time issues at PayPal were noticed by security researchers, however, as was the case when high severity vulnerability was spotted earlier in 2019. It was capable of exposing passwords to attackers. The flaw was found by researcher Alex Birsan, who received a $15,300 bounty for reporting the issue, later to be patched on December 11, 2019. Now the CyberNews team managed to find out the entire process may be bypassed, making it possible for savvy attackers to access an account with nothing more than stolen credentials, acquired either through social engineering or through dark web markets.
Bypassing the two-factor authentication (2FA) method PayPal employs was the first vulnerability addressed by CyberNews, under PayPal for Android version 7.16.1. Their team was reportedly able to bypass the phone or email verification utilizing the PayPal mobile app and a MITM proxy. That allowed them to gain access with an elevated token, allegedly only taking minutes or even seconds.
The CyberNews analysts claim to have also found more vulnerabilities, specifically being able to do a phone verification without using an OTP (One Time Pin). The system works by comparing whether a registered phone number is registered under the same name as the account holder on the PayPal database. If that is not the case, the phone number is rejected by the system. The team reports they were able to change the outgoing onboard call's number to a different one, which registered the phone number in the system as "confirmed".
Miscommunication between Paypal and the CyberNews team led to further misunderstandings, as CyberNews explained the issue as a problem with the Two-Factor Authentication system. As it stands, 2FA is a secondary identity check done at the end of every login attempt meant as user-controlled confirmation, an extra step of security beyond the combination of username and password. In most cases, this is done through a single-use SMS code, but it may also be a PIN number that is completely separate from the password, an external security key, and the popular choice of an authenticator app as well. 2FA hacking stories have been circulating the internet more or less since the system became commonplace, with more recent examples seen with high profile hacking of celebrity social media accounts and even the FBI warning of 2019 that secondary authentication was being spoofed by attackers, with only biometrics being allegedly intrusion-proof.
While PayPal has a 2FA system in place, as many other websites, it prevents access to an account without the cellphone of the user or the paired authenticator app. The choice of words employed by CyberNews led to misunderstandings with the PayPal team and the HackerOne staff. This made it hard for CyberNews to further underline the importance of the issues they believe needs to be patched and disclosed. According to a PayPal spokesman, without examples of accounts affected by this kind of vulnerability, there is no reason to believe the risks can't be managed by the PayPal system.
For the moment, bypassing 2FA entirely means either being able to hijack the victim's mobile device somehow, or being able to intercept one of the one-time codes the victim is about to use on their system before it arrives. Although there is a chance a determined attacker may gain remote access to a machine they target, this requires a real-time attack. Credentials get stolen on a regular basis around the world, so frequent changing of passwords is necessary to keep the password unique for that app.