PayPal's authentication is no challenge for one hacker

The white hat hacker said he could bypass the two-step security measures used to protect customer accounts

A teenage hacker who spends his time trying to find security flaws to help companies has revealed he could easily bypass PayPal's two-step authentication process to access user accounts.

Joshua Rogers, a 17-year-old Australian, says he would be able to hack PayPal's system by spoofing a browser cookie created when users link their eBay and PayPal accounts together - something that is encouraged by the online auction site.

When the cookie is active, the authentication is hacked. This means the accounts can be accessed if a hacker gets hold of a user's login details, without having to input the six-digit one-time authentication password sent to the user's registered mobile phone number.

It's a set-up many websites use to protect customers against hacking if someone uncovers website passwords.

Rogers reported the vulnerability to PayPal in June, but failed to receive a response from the online payment service, so he announce the flaw publicly on his blog.

He said in his announcement: "Once you're actually logged in, a cookie is set with your details, and you're redirected to a page to confirm the details of the process. And this is where the exploit lays. Now just load http://www.paypal.com/ and you are logged in and don't need to re-enter your login."

Commenting on the news, PayPal said in a statement that it is aware of the issue, but played down the risk it poses to users. 

"2FA is an extra layer of security some customers have chosen to add to their PayPal accounts. We are working to get the issue addressed as quickly as possible. It is important to clarify that 2FA provides extra assurance to keep accounts secure, however usernames and passwords are still required to gain access to all PayPal accounts," it reads. 

"Customers who do not use the PayPal security key (physical card or SMS codes) as an additional step to log into their accounts are not impacted in any way. If you have chosen to add 2FA to your PayPal account, your account will continue to operate as usual on the vast majority of PayPal product experiences.

"We have extensive fraud and risk detection models and dedicated security teams who work to help keep our customers' accounts secure from fraudulent transactions, everyday. We apologise for any inconvenience caused to affected customers who use our 2FA process and we will continue to work hard to address this issue."

He told Australian security website CSO: "I don't care about the money, no. Money isn't everything in this world."

This story was published earlier today, before being updated at 13:45 to include PayPal's comments on the issue.

Featured Resources

The ultimate guide to business connectivity in field services

A roadmap to increased workplace efficiency

Free download

The definitive guide to migrating to the cloud

Migrate apps to the public cloud with multi-cloud infrastructure solutions

Free download

Transform your network with advanced load balancing from VMware

How to modernise load balancing to enable digital transformation

Free download

How to secure workloads in hybrid clouds

Cloud workload protection

Free download

Recommended

100 million IoT devices affected by zero-day flaw
Internet of Things (IoT)

100 million IoT devices affected by zero-day flaw

24 Sep 2021
New FamousSparrow hacking group caught targeting hotels
vulnerability

New FamousSparrow hacking group caught targeting hotels

24 Sep 2021
Dual citizen sentenced to 11 years for role in North Korean crypto hacking scheme
hacking

Dual citizen sentenced to 11 years for role in North Korean crypto hacking scheme

10 Sep 2021
IoT devices are more vulnerable than ever
Internet of Things (IoT)

IoT devices are more vulnerable than ever

10 Sep 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

17 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

17 Sep 2021