PayPal's 2-Factor Authentication Easily Bypassed By Teen Security Researcher

Advertisement
By NDTV Correspondent | Updated: 6 August 2014 11:24 IST
A 17-year-old Australian security researcher has published information describing a shockingly simple way to bypass PayPal's two-factor authentication process for user account credentials. PayPal has often been targeted by criminals and fraudsters, but this particular flaw appears to be a glaring oversight on the part of the company itself and its parent company, eBay Inc.

The teen, Joshua Rogers, had originally discovered the problem in early June and had notified PayPal of the problem. He has now gone public after having received no satisfactory response from the company since then, with a blog post and even a video demonstrating the process.

The flaw arises thanks to a feature of eBay and PayPal that allows accounts on both sites to be linked in order to facilitate incoming and outgoing payments. Anyone with malicious intent could trick eBay into setting a cookie that flags users as already logged in. This indicates to PayPal that it does not need to put users through a verification process when they visit the site directly.

According to Rogers, an eBay account isn't even necessary once you have a specific URL string which sets the two-factor flag.

Two-factor authentication requires users to provide not only a username and password, but also a second tier of credentials before they are allowed access to a website or online service. The second credential is often in the form of a one-time code generated on the spot and sent to the user's pre-registered mobile phone or another offline physical token. In this way, a person trying to access the service can be determined to both know something and have something that only he or she should know and have.

The flaw only removes the second layer of authentication. Attackers still need to be in possession of the primary password. Common criminal tools such as Trojans and keyloggers are frequently used to amass such credentials, which is why two-factor authentication is often considered a necessity.

This is not the first time PayPal's security has been the subject of scrutiny. The service is a particularly high-profile target for attackers considering it is used to store large amounts of money.
Post your comments

Catch the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2026 hub.

Further reading: Internet, Joshua Rogers, PayPal, eBay, security
Xolo A550s IPS With 4-Inch Display Now Available Online at Rs. 5,599
Apple App Store Achieves Record-Setting Revenues in July
Advertisement

Related Stories

Google and ChatGPT Remain the Most Popular Services as Internet Traffic Grows by 19 Percent: Cloudflare
16 December 2025
Clocks on Mars Run Faster Than on Earth, New Study Finds
15 December 2025
Starlink Executive Clarifies: India Pricing Was a 'Glitch', Still Awaiting Launch Approval
9 December 2025
SpaceX Expands Starlink Network With 29-Satellite Falcon 9 Launch
8 December 2025
Cloudflare Restores Services After Outage That Impacted Several Websites Including BookMyShow, SpaceX, Coinbase
5 December 2025
Popular on Gadgets
Latest Gadgets
Popular Mobile Brands
#Trending Stories
  1. Here's How Much the Realme 16 Pro Series Could Cost in India
  2. Samsung Galaxy S26 Ultra Tipped to Launch With These Camera Improvements
  3. Moto X70 Air Pro Teaser Confirms AI Focus and Pro Upgrade
  4. Xiaomi Mix 5 to Support Under-Display 3D Facial Recognition, Tipster Claims
  5. Innocent (2025) Now Available For Streaming Online: What You Need to Know
  6. Japan's H3 Rocket Suffers Setback as Michibiki 5 Navigation Satellite Launch Fails
  7. OnePlus 16 Could Feature Same Cameras as the Rumoured Oppo Find N6
  8. Samsung Galaxy S26, Galaxy S26 Ultra Spotted in Leaked Hands-On Images
#Latest Stories
  1. China Proposes New AI Rules to Safeguard Minors, Prevent Harmful Output
  2. Space Rocket Crashes in 2025: Why This Year Saw an Unusually High Number of Orbital Launch Failures
  3. Cyberpunk 2 Said to Launch in Q4 2030, The Witcher 3 Tipped to Get Third Paid Expansion Next Year
  4. Meta Acquires Autonomous Agent Developer Manus AI, Marks Its Fifth Deal in 2025
  5. Samsung Galaxy Watch 4 One UI 8 Rollout Reportedly Paused as Users Highlight Battery, Sensor Issues
  6. Apple Patent Suggests AR Smart Glasses Could Offer Improved Comfort With Adjustable Arms
  7. Xiaomi Mix 5 Tipped to Launch With Quad Curved Screen, Under-Display Selfie Camera With 3D Facial Recognition
  8. MIT Develops 3D-Printable Aluminum Alloy That’s Up to Five Times Stronger Than Conventional Metals
  9. iPhone 17 Pro, iPhone 17 Pro Max Users Report Charging-Related Static Speaker Noise
  10. Celestis to Send Human Ashes Beyond the Moon on Deep-Space Memorial Flight in 2026
Gadgets 360 is available in
Follow Us
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2025. All rights reserved.