PayPal has suspended two-factor authentication after a flaw in how it administers the logins from its mobile apps surfaced late last week.
The decision to pull two-factor authentication follows a disclosure from DUO Security researcher Zach Lanier. In a June 25 blog Lanier found it was possible, even triival, to bypass PayPal’s two-factor authentication-- what the company calls the Security Key mechanism. The vulnerability occurs when trying to access the service from any mobile app.
To exploit, Lanier found that an unskilled attacker would need only a person's email address and password to PayPal, both of which could in some case be easy to guess, particularly if the target has re-used an exsiting password or chosen a weak or obvious one.
The PayPal Web API uses OAuth technology for user authentication and authorization, however the two-factor requirement is only enforced on the accessing client – not on the server. Lanier wrote "We developed a proof-of-concept exploit to leverage this lack of 2FA enforcement, interfacing with the PayPal API directly and effectively mimicking the PayPal mobile app as though it were accessing a non-2FA account."
The researcher notes that the standard browser-based PayPal web interface is not affected by the bypass.
Lanier said he became curious when observing the behavior of an iOS version of the PayPal app. "[T]he PayPal iOS application exhibited suspicious behavior by briefly showing the user’s account information and transaction history prior to forcefully logging them out. Based on this behavior, we decided to investigate what was happening communications-wise on the wire. Using Burp, we intercepted and analyzed HTTP/HTTPS traffic between the PayPal mobile apps and remote PayPal web services. In particular, we observed the authentication process, paying close attention to how the service responded to 2FA-enabled accounts versus non-2FA-enabled accounts."
In response, PayPal has discontinued two-factor authentication for the time being. "If you have chosen to add 2FA (two-factor authentication) to your PayPal account, your account also remains secure and 2FA will continue to operate as usual on the vast majority of PayPal product experiences,” PayPal Director of Global Initiatives Anuj Nayar wrote in a company blog post. “PayPal does not depend on 2FA to keep accounts secure," Nayar notes.
DUO Security says that a fix should be available at the end of July or roughly in time for Black Hat USA, although PayPal does not state a date in its own blog.