• No events
AEC v1.0.4

Cyber Security Info

Serious vulnerability of PayPal’s two factor authentication

June 26, 2014

Share Button

Duo Security has discovered a serious vulnerability in the two factor authentication (2FA) method implemented by PayPal. Since the PayPal’s mobile applications do not support 2FA, the users of accounts are shown a message that they cannot log in to their account. Unfortunately that is only after a short period of time the app is actually logged into the account. Duo Security discovered that the pop up message is only triggered by a single attribute telling the application that the account has 2FA enabled. Therefore, 2FA may be easily circumvented by simply disconnecting the device from network for a short time period or by altering the attribute. PayPal has already provisionally fixed the issue and is working on a permanent fix. However, it is notable that it took three months for PayPal to react to such serious vulnerability.

Share Button