Three months after announcing a security flaw he has found in their system, a 17-year-old hobby researcher has decided to come forward due to a lack of response from PayPal.
Referred to as the Paypal Complete 2-Factor Authentication(2FA) Bypass Exploit, an eBay account could essentially be used to bypass the two-tier security system in place to keep others from accessing PayPal funds. It did not have to be the PP account associated with an eBay account to do so.
Technically, this could also be done without an eBay account, though the service seems to be the biggest break in the chain.
It works by allowing access to an intermediary login listed “between” the two tiers. So with a password only, they could access any PayPal account without ever needing the secondary verification.
What’s more, this could be done fairly easily. And let’s face it, cracking most people’s passwords isn’t that much of a chore.
I once illustrated this to a friend of mine who claimed I wouldn’t be able to do it. But he had forgotten that years before he had asked me to access his email to pull up a receipt, and he just happened to use that password for everything. “Hacking” time: about 4 seconds.
Which is the problem with most security issues these days. Some people take their password protection seriously. Some only take it kinda seriously – which would be most of us. Others don’t even realize that a password isn’t some magical word that gives form to a digital dragon who protects our online information.
So, in short, people who have any chance of their password being easily accessed are the only ones who should be too worried. Might be time to change it to something more complicated, just in case.
But what is really incredible about this story isn’t the exploit; that kind of thing is discovered all the time, though the fact a teenager found it is pretty cool for him. What is amazing is that this flaw was exposed three months ago. After being totally ignored and the problem not being addressed by the company, Joshua Rogers has decided to release the information to the public via Just Another Security Blog.
Want something even more amazing? It was discovered a second time, by another (not teenage) researcher before they decided to start doing something about it. Which was still only about a week ago.
PayPal isn’t really too concerned, which isn’t a huge surprise. The Verge writer Russell Brandom had a great point about it: PayPal just doesn’t really care.