PayPal Authentication Bypass still works

Benjamin Kunz Mejri, CEO of Vulnerability Lab, has discovered a method of bypassing PayPal's authentication procedures on its mobile applications, even if two-factor authentication (2FA) is turned on.

Mr. Mejri has found that by switching to PayPal's Android and iOS apps, users can bypass the authentication procedure and access the "blocked" account.

"Even if the account is restricted the user can access via the mobile API by using the existing cookies," says Mejri, referring to a technique which has him switch the expired cookies with valid session cookies.

By doing this, he is redirected to the PayPal dashboard when using the mobile apps, even if his account is considered "blocked" when accessing it from a desktop.

Inside the dashboard he was able to interact with account settings, and according to Mr. Mejri, there's a potential of fraud if an attacker can gain access to "blocked" accounts through an authentication bypass and then initiate payments or money transfers.

According to Mejri, he contacted PayPal in april, but company employees were unable to reproduce his steps.

After waiting for four months, Mejri published his findings.



Sep 8, 2015, 3:11 PM
Sep 5, 20151:06 PM

Visa ordered to pay $18 million penalty for anti-competitive behaviour in Australia

Visa ordered to pay $18 million penalty for anti-competitive behaviour in Australia

Aug 26, 20153:26 PM

'Square Cash' Introduces Apple Watch App for quick mobile money transfers

Square Cash Introduces Apple Watch App for quick mobile money transfers by linking a Visa, MasterCard, or Discover debit card within the app.

Aug 26, 201512:17 PM

Will Android Pay launch today?

According to a notice sent to employees at a number of McDonald's restaurants, Android Pay will be available for customers to use from 26 August.

Aug 14, 20159:12 AM

Amazon launches a New Marketplace for Startups

Amazon has opened up a new streamlined sales channel for startups called LaunchPad