PayPal ‘Critical’ Login Hack: Latest Report Alerts You about Thieves’ Danger Now – For PayPal, the online payments giant, it has been a rough few weeks. First came the confirmation that an authentication hack would allow an attacker to enter an account after phishing credentials, bypassing the authentication tools of the financial firm.
And now another security report claims the entire authentication process can be overlooked, enabling an attacker to gain access to an account with nothing but stolen credentials, available for purchase on the Dark Web “for as little as $1.50.”
The study comes from the research team at CyberNews and contains a concern that PayPal or the team at HackerOne who field such tasks have not taken the results seriously. “CyberNews said, “As our researchers found six vulnerabilities in PayPal, ranging from hazardous exploits that would allow someone to bypass their two-factor authentication to being able to submit malicious authentication.”
We have been met with non-stop delays, unresponsive workers, and a lack of respect through their SmartChat software.
On its part, PayPal told me that it often takes such submissions seriously “and reviews each with an appropriate sense of priority.” I was informed that the team had reviewed this in-depth, but, after examination, “found that the submissions did not pose a threat and that the assertions being advanced by CyberNews are inaccurate and misleading.”
HackerOne did not comment and instead deferred to the argument made by PayPal.
“We would like PayPal to take this vulnerability more seriously,” CyberNews told me, “At the moment, [PayPal is] writing it off as something ‘out-of-scope’ just because it involves stolen credentials.” The research team went to great lengths to show me the work of the exploit.
While there is no way of knowing the state of the backend algorithm checking the process, it did appear at face value to bypass the check.
To understand the debate between PayPal and CyberNews, it’s critical to know how PayPal safeguards your account. Firstly, PayPal knows all about both sides of any transaction in a unique position, including the behavioral track record, login setting, recent activity, and the possibility that a trade might be fraudulent. The specifics are tightly guarded, but the company’s systems collect multiple data points.
That becomes apparent when you log in from a new device or location identified by your connection’s IP address. They have a successful username and password login, but they will run a system search to look for more assurance that it is you. PayPal will then aim to verify that it is you. When in, the entity will then conduct additional tests on each transaction to decide whether to accept or challenge.
CyberNews claims that it can successfully login to an account using the necessary credentials on a new device, and the company gave me a demonstration. Essentially, to prevent the backend system from questioning the login attempt, they claim to have intercepted the backend data from the login phase. This is serious in itself. In essence, phished credentials and stolen credentials will work, and it links back to that bypassing system checks at the process login stage.
Two-factor authentication, “two-factor authentication,” was able to circumvent the phone or email verification of PayPal, which we might call two-factor authentication for simple terminology (2FA). Called ‘Authflow’ on PayPal, is usually triggered when a user logs into their account from a new device, location, or IP address.” was able to bypass the verification of PayPal’s phone or email, which we can call two-factor authentication (2FA) for ease of terminology.
Their 2FA, called ‘Authflow’ on PayPal, is typically activated when users log into their account from a new device, location, or IP address.
Two-factor authentication means something peculiar these days—it is a secondary identity check at the point of every login or every new login intended to be a user-controlled identity confirmation over and above a username and password. This is usually an SMS one-time code, but it can be a PIN that’s separate from your password, an authenticator app, or even an external security key.
The loss of 2FA-SIM jacking and the high-profile hacks of Twitter account celebrities, for instance, have been several tales. And last year, the FBI—somewhat controversially—warned that attackers were spoofing secondary authentication and only biometrics could be seen as attack-proof.
Paypal does have simple two-factor authentication—you can see its set-up in the image below. It would prevent an attacker from gaining access to an account without the user’s cellphone or authenticator app, rendering a backend security check bypass useless. CyberNews does not say that this 2FA mechanism was hacked.
CyberNews admits that the terminology in its study is ambiguous, telling me, “CyberNews accepts that the terminology in its report is confusing, telling me”, PayPal’s algorithm activates. Since this security measure requires a separate device beyond the person’s username and password, we used the term 2FA as a reference or similarity. And we assume this is where the misunderstanding started.
This was not encouraged by a quote given to a U.K. “PayPal and other sites such as Amazon and banks use two-factor authentication, so if an important change is made to the account, this is double-checked instance through a security code is texted to the user’s mobile phone. We alerted [PayPal] last month that this double-check can currently be bypassed, rendering it ineffective to any hacker who gains a person’s email and password.”
PayPal and other sites such as Amazon and banks use two-factor authentication, so if a significant change is made to the account, this is double-checked, for example, by texting a security code to the mobile phone of the user.
Last month, we alerted [PayPal] that this double-check can currently be bypassed, making it ineffective for any hacker that gains.
Again, in response to all six vulnerabilities we discovered, CyberNews clarified that this was mistaken, “this specific quote was a general one, in response to all the six vulnerabilities we discovered. Now that we can comply with your definition of 2FA, we can express it differently.
And here is the crux. Because the vulnerabilities found are essential in themselves, the confusion has muddied the debate. CyberNews seems to feel very strongly that the issues should be disclosed and patched, and the team looks very frustrated that they haven’t been. “We still want to emphasize,” one of the group told me, “that these ‘double checks’ from PayPal’s side, whether this main security bypass, name change, or phone verification, were easily bypassed.”
CyberNews also questions the degree to which the confusion matters, indicating that not many users have allowed the real 2FA to take care of account protection, relying on device checks. I asked PayPal for the percentage of users allowed with the genuine 2FA, but there is no information available. “
It does put a huge risk on many people’s accounts that don’t have user-enabled 2FA,” which is most PayPal users, it puts a significant risk on many people’s accounts that do not have user-enabled 2FA,” which is most PayPal users. We believe the patch for this issue should be pretty straightforward, and we essentially want [PayPal] to take action.”
When I met with them, PayPal did not ignore the issue but assured me it was a danger their system believed controlled. And it’s difficult to argue the case unless or until we have instances of accounts emptied via the hack. The spokesperson for PayPal also told me that customers would be made financially whole by a flaw in their system and security checks for any loss. As such, I was told that there’s no financial risk of “bank accounts being emptied,” as such.
For the time being, beating 2FA involves either hijacking a victim’s mobile device or another means of authentication or intercepting the victim’s one-time input codes into their scheme. There is the risk that if an attacker can gain remote access to a target machine, they can steal credentials and then the 2FA code in real-time. It’s complicated and requires a real-time attack, but it’s not technically complicated.
“We are making these vulnerabilities public to warn [PayPal’s] 305 million account holders and compel PayPal to fix them before hackers exploit these security flaws,” CyberNews informed the media last week when their findings were published. Then, just before publishing, CyberNews told me that they assumed the problem could be fixed by PayPal, while they said they could still bypass the backend system search.
The other vulnerabilities posed by CyberNews in its report included intercepting a check on the registration of a new phone in an account and bypassing system checks when money is sent from even though they have now been rendered public and disclosed to PayPal, I have not seen any of those vulnerabilities demonstrated.
So, you worry? Given the number of stolen credentials available for purchase, changing your PayPal password and keeping it exclusive to that app is one protection. Adhering to sound advice on passwords would also help.
And then Paypal offers security instruments that will guarantee that this hack will not harm you. You will use the web portal to customize 2FA. As inconvenient as that might be for the login process, 2FA is always a good move, given the current climate of credential theft and large-scale data breaches.