Submission + - Trivial Bypass of PayPal Two-Factor Authentication On Mobile Devices (securityledger.com)
chicksdaddy writes: The Security Ledger reports on research from DUO Labs that exposes a serious gap in protection with PayPal Security Key, the company's two-factor authentication service.
According to DUO (https://duosecurity.com/blog/duo-security-researchers-uncover-bypass-of-paypal-s-two-factor-authentication), PayPal's mobile app doesn't yet support Security Key and displays an error message to users with the feature enabled when they try to log in to their PayPal account from a mobile device, terminating their session automatically.
However, researchers at DUO noticed that the PayPal iOS application would briefly display a user’s account information and transaction history prior to displaying that error message and logging them out. The behavior suggested that mobile users were, in fact, being signed in to their account prior to being logged off. The DUO researchers investigated: intercepting and analyzing the Web transaction between the PayPal mobile application and PayPal’s back end servers and scrutinizing how sessions for two-factor-enabled accounts versus non-two-factor-enabled accounts were handled.
They discovered that the API uses the OAuth technology for user authentication and authorization, but that PayPal only enforces the two-factor requirement on the client – not on the server.
An attacker with knowledge of the flaw and a Paypal user's login and password could easily evade the requirement to enter a second factor before access the account and transmitting money.
According to DUO (https://duosecurity.com/blog/duo-security-researchers-uncover-bypass-of-paypal-s-two-factor-authentication), PayPal's mobile app doesn't yet support Security Key and displays an error message to users with the feature enabled when they try to log in to their PayPal account from a mobile device, terminating their session automatically.
However, researchers at DUO noticed that the PayPal iOS application would briefly display a user’s account information and transaction history prior to displaying that error message and logging them out. The behavior suggested that mobile users were, in fact, being signed in to their account prior to being logged off. The DUO researchers investigated: intercepting and analyzing the Web transaction between the PayPal mobile application and PayPal’s back end servers and scrutinizing how sessions for two-factor-enabled accounts versus non-two-factor-enabled accounts were handled.
They discovered that the API uses the OAuth technology for user authentication and authorization, but that PayPal only enforces the two-factor requirement on the client – not on the server.
An attacker with knowledge of the flaw and a Paypal user's login and password could easily evade the requirement to enter a second factor before access the account and transmitting money.