A newly uncovered vulnerability shows that the way PayPal handles requests from mobile clients can allow an attacker to bypass the two-factor authentication mechanism and send any desired amount of money from the victim’s account to any recipient chosen.
The vulnerability or flaw pertains to the way that PayPals authentication flow works with the services mobile applications for iOS and Android. It remains on the server side, and security researchers at Duo Security developed a proof-of-concept application that can exploit the vulnerability. PayPal has been aware of the issue since March and has implemented a small workaround, but isn’t planning to fully patch the flaw till the end of July.
“An attacker only needs a victim’s PayPal username and password in order to access a two-factor protected account and send money. The protection offered by the two-factor Security Key mechanism can be bypassed and essentially nullified,” Zach Lanier, senior security researcher at Duo Security, wrote in his report.
“While PayPal’s mobile apps do not currently support 2FA-enabled accounts, it is possible to effectively trick the PayPal mobile applications into ignoring the 2FA flag on the account, subsequently allowing the an attacker to log in without requiring secondary authentication.”
PayPal gives users the ability to utilize two-factor authentication in a variety of ways, each which generates a one-time passcode for use during login. Two-factor forms are available to be used on the official PayPal website, but is not supported by PayPal mobile apps at the moment. The vulnerability worked by researchers building an app that tricked the PayPal API into thinking that the mobile application was accessing an account that doesn’t have two-factor authentication enabled, the system completely ignored the two-factor protection.
The proof-of-concept application that was built talks to two specific PayPal API’s, one that handles the authentication, and the other handles the money transfer after login.
Diving into the vulnerability, researchers noticed that when PayPal servers responded to a POST request sent from the mobile app for a two-factor enabled account, the application would show an error message telling the user two-factor was enabled and not supported, initially sending the user back to the login screen. But when Duo researchers replaced the value in the server’s response in regards to the two-factor authentication to “false”, the application would simply allow the user into the account, bypassing all forms of two-factor protection.
Researcher Lanier looked at the initial server response once more and discovered a session identifier. “As it turned out, ‘session_token’ is used for authorization against mobileclient.paypal.com, an otherwise (publicly) undocumented SOAP-based API that provides additional account-related functionality, including but not limited to sending money,” his report read.
“We then stepped through the ‘send money’ process in the mobile apps, again capturing traffic with Burp. Through this, we were able to observe the necessary requests/responses and SOAP envelopes (read: painful XML) that make up a PayPal fund transfer from their mobile applications. The funds transfer process turned out to be a four-step exchange, with each request requiring a value unique to the overall transaction.”
Using the custom built application utilized in the exploitation of the vulnerability, researchers were able to transfer money willingly into accounts with just a username and password.
“There are plenty of cases of PayPal passwords being compromised in giant database dumps, and there’s also been a giant rise in PayPal related phishing,” he said in an interview. “That approach is already being used. People have long been and are continuing to do so. The whole two factor thing was supposed to make you feel all warm and fuzzy if your password is compromised. I’d probably use one of these techniques that are pretty darn efficient or maybe iterate through the public dumps of passwords.”
The vulnerability was initially discovered by an outside researcher named, Dan Saltman, who asked for help from Duo Security to validate the concern and talk with PayPal’s security team.