Twenty Year Anniversary

PayPal 2FA Bypass

PayPal 2FA Bypass
Posted Aug 15, 2016
Authored by Shawar Khan | Site vulnerability-lab.com

PayPal suffered from a two-factor authentication bypass vulnerability.

tags | exploit, bypass
MD5 | 5fd8a55eb3be5fd0fd4a9fd7259e0dea

PayPal 2FA Bypass

Change Mirror Download
Document Title:
===============
PayPal Inc BB #127 - 2FA Bypass Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1903


Release Date:
=============
2016-08-12


Vulnerability Laboratory ID (VL-ID):
====================================
1903


Common Vulnerability Scoring System:
====================================
6.2


Product & Service Introduction:
===============================
PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money
transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders.

(Copy of the Homepage: www.paypal.com )


Abstract Advisory Information:
==============================
The independent vulnerability laboratory researcher (shawar khan) discovered a vulnerability in the official PayPal website (api) web-application).
The issue allows an attacker to bypass the 2-factor authentication and mobile confirmation which could lead to unauthorized access.



Vulnerability Disclosure Timeline:
==================================
2016-05-13: Researcher Notification & Coordination (Shawar Khan)
2016-05-14: Vendor Notification (PayPal Inc Bug Bounty Program - Security Team)
2016-05-24: Vendor Response/Feedback (PayPal Inc Bug Bounty Program - Security Team)
2016-07-10: Vendor Fix/Patch (PayPal Inc Developer Team)
2016-07-18: Acknowledgements (PayPal Inc Bug Bounty Program - Security Team)
2016-08-12: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
PayPal Inc
Product: PayPal - Online Service Web Application 2016 Q3


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
A 2 Factor Authentication Bypass Vulnerability was discovered in the official PayPal website (api) web-application).

This vulnerability allows an attacker to bypass the 2FA mechanism for access to accounts of paypal without verifying in
the basic procedure the identity with confirmation. The security vulnerability is located in the paypal login portals of
uk and the paypal preview. Each Portal is having an issue which can lead to a full bypass once used in a combined way.

If the user have 2FA activated in his account. Whenever an user logs into his account, paypal will ask the
user to verify the identity. Verification can be made via phone number or by confirming the login request
via paypal mobile app (api). The mechanism mainly prevents unauthorized acccess to the account and provides
an extra layer of security.

The login portal of paypal preview is missing verification mechanism in it. When an user is logged in via paypal
preview's login portal, the user is logged in without any verification and the login is successful but there is
no settings or anything of interest. When logged in via paypal uk login portal, it checks if the user account is already
signed in from any other portal or not. Once it checks the user is already logged in via
paypal preview (without verification)
it allows us access to the account without any kind of verification. This is the way how 2FA was bypassed in
paypal due to lack of 2FA protection.


Proof of Concept (PoC):
=======================
PayPal uses an additional layer of security known as 2-Factor Authentication which is used to verify the
user's identity so no unauthorized access would be allowed. The mechanism verifies the user's identity by
calling or messaging a code to phone number or by confirming the login via Mobile App. Without these,
the account will not be accessed. By following the procedure below the 2FA protection can be bypassed:


Site: PayPal ( www.paypal.com )
PayPal UK Login Portal: https://www.paypal.com/uk/cgi-bin/?cmd=_email_receipt
PayPal Preview Login Portal: https://www.paypal.com/webapps/garden/page/garden.form


Steps to reproduce:
1. Open PayPal UK Login Portal in a new tab(keep it open)
2. On the other tab, open PayPal Preview Login Portal
3. Login to your account in the URL which is opened in step 2
4. Enter credentials in the new window which appears
5. Refresh the page which was opened in step 1
6. Now you will be logged, Click on view account button which will lead you to your account and the 2 step verification will be bypassed


Solution - Fix & Patch:
=======================
In every login portals, verification checks must be deployed even if the user is already logged in.
This will prevent unauthorized access to the account.


Security Risk:
==============
This vulnerability allows an attacker to bypass the 2-factor authentication and mobile confirmation
which could lead to unauthorized access.


Credits & Authors:
==================
Shawar Khan - (https://shawarkhan.com) [http://www.vulnerability-lab.com/show.php?user=Shawar%20Khan]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage,
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific
authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.

Copyright A(c) 2016 | Vulnerability Laboratory - [Evolution Security GmbH]aC/



--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

June 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    14 Files
  • 2
    Jun 2nd
    1 Files
  • 3
    Jun 3rd
    3 Files
  • 4
    Jun 4th
    18 Files
  • 5
    Jun 5th
    21 Files
  • 6
    Jun 6th
    8 Files
  • 7
    Jun 7th
    16 Files
  • 8
    Jun 8th
    18 Files
  • 9
    Jun 9th
    5 Files
  • 10
    Jun 10th
    2 Files
  • 11
    Jun 11th
    21 Files
  • 12
    Jun 12th
    32 Files
  • 13
    Jun 13th
    15 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    4 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    2 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    15 Files
  • 21
    Jun 21st
    15 Files
  • 22
    Jun 22nd
    7 Files
  • 23
    Jun 23rd
    2 Files
  • 24
    Jun 24th
    1 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close