PayPal's 2-Factor Authentication Easily Bypassed By Teen Security Researcher

Advertisement
By NDTV Correspondent | Updated: 6 August 2014 11:24 IST
A 17-year-old Australian security researcher has published information describing a shockingly simple way to bypass PayPal's two-factor authentication process for user account credentials. PayPal has often been targeted by criminals and fraudsters, but this particular flaw appears to be a glaring oversight on the part of the company itself and its parent company, eBay Inc.

The teen, Joshua Rogers, had originally discovered the problem in early June and had notified PayPal of the problem. He has now gone public after having received no satisfactory response from the company since then, with a blog post and even a video demonstrating the process.

The flaw arises thanks to a feature of eBay and PayPal that allows accounts on both sites to be linked in order to facilitate incoming and outgoing payments. Anyone with malicious intent could trick eBay into setting a cookie that flags users as already logged in. This indicates to PayPal that it does not need to put users through a verification process when they visit the site directly.

According to Rogers, an eBay account isn't even necessary once you have a specific URL string which sets the two-factor flag.

Two-factor authentication requires users to provide not only a username and password, but also a second tier of credentials before they are allowed access to a website or online service. The second credential is often in the form of a one-time code generated on the spot and sent to the user's pre-registered mobile phone or another offline physical token. In this way, a person trying to access the service can be determined to both know something and have something that only he or she should know and have.

The flaw only removes the second layer of authentication. Attackers still need to be in possession of the primary password. Common criminal tools such as Trojans and keyloggers are frequently used to amass such credentials, which is why two-factor authentication is often considered a necessity.

This is not the first time PayPal's security has been the subject of scrutiny. The service is a particularly high-profile target for attackers considering it is used to store large amounts of money.

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Further reading: Internet, Joshua Rogers, PayPal, eBay, security
Advertisement

Related Stories

Popular Mobile Brands
  1. OpenAI Codex Micro Launched as a Keyboard Built for AI Coding Workflows
  2. Lenovo Legion Y700 Infinite Chipset Details Teased Officially; Key Specs Tipped
  1. Google Rebrands NotebookLM as Gemini Notebook; Brings Cloud Computing and Search Integration
  2. Samsung Music Studio 5, Music Studio 7 Wi-Fi Speakers Launched in India
  3. Ostium Suspends Trading Following Oracle Security Incident Drains Millions
  4. Oppo’s New A Series, Upcoming OnePlus Mid-Range Smartphones Tipped to Launch With 10,000mAh Batteries
  5. WhatsApp Reportedly Rolls Out Mic Mode Controls for iPhone Calls
  6. Former Rockstar Games Developer Explains Why GTA 6 Maker Launches Games on PC After Consoles
  7. Samsung Galaxy Tab S12 Ultra CAD Renders Leaked Online; Reveals Familiar Look
  8. Apple Back to School Sale Now Live in India, Bringing Offers on MacBook Air, iPad Pro and More
  9. Realme Could Replace Realme UI With ColorOS 17 in India: Report
  10. Nubia NaviX Ultra Design, Colour Options Unveiled Ahead of July 17 Launch
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.