Just Another Security/Programming Blog: Paypal's 2-Factor-Authentication(2FA): The Good, The Bad, And The Ugly. (Incl. full 2FA bypass without security questions)

Friday, 27 June 2014

Paypal's 2-Factor-Authentication(2FA): The Good, The Bad, And The Ugly. (Incl. full 2FA bypass without security questions)


Paypal, like many other services, offer 2-Factor-Authentication in an attempt to strengthen the security of users' accounts. As noted on Paypal's website, "The security key gives you an extra layer of security when you log in to your PayPal account. It creates random security codes to use along with your regular username and password."

Paypal provides two ways of using this service; through a one-time code sent as an SMS to your mobile phone, or through a physical, creditcard sized code generator.(Or optionally, a VeriSign ID Protection key, which you can set-up on your phone for free here.)

An example of Paypal's security-card

Paypal's implementation of 2FA has been heavily scrutinized[1] again[2] and again[3] due to the lack of apparent security surrounding it. They allow security questions to be used to bypass the blockade of not having access to your 2FA device, and sometimes even when you do have access to your device, the code just doesn't work.

In this article, I'll be detailing "The good, the bad, and the ugly" of Paypal's 2FA programme. This includes what works, how it works, how it doesn't work, and security implications(full disclosure: there is/was a complete bypass for the 2FA without security questions.)

Personally, I use the SMS version of Paypal's 2FA, thus I can only directly comment on that. Nonetheless, I'll reference a few articles in regard to their creditcard sized number generator, and the VeriSign key generator.

The Good

Despite the bad publicity and the bad advertisement(not many people know Paypal supports 2FA), Paypal's implementation of 2FA is pretty good.

When you login to the website, it forwards you to a page that asks you for your security token. Multiple phone numbers can be used for the SMS service.

Logging in as per usual
2FA Page

You can choose which phone number Paypal will SMS, and it will send you an SMS to the respective number.

The actual implementation of this process is that when you initially login, you're not actually logged in; you're simply given a 'context' cookie set, which later is used to initiate the real login phase.

Paypal blocks brute-force attacks of the 6-digit code by locking you out after 5 attempts, requiring you to enter personal information to unlock it.

A common security over-sight when it comes to 2FA is that it is bypass-able by using the application's mobile App. Paypal doesn't suffer from this, thus is secure in that sense. ---- Apparently that wasn't 100% true.

SMS 2FA codes also expire after 5-minutes, thus cannot be re-used.

The Bad

Although there aren't too many problems with Paypal's 2FA programme, they still do exist.

Personally, using the SMS service, the only problem I have had is the fact that sometimes the SMS is delayed, and doesn't arrive within the 5-alloted-minutes that you are given to enter it. Re-sending it usually doesn't fix this either, and they all just send at the same time(thus spamming your phone).

Noted by many, Paypal offers an option to bypass the 2FA procedure by entering in security questions, or your credit-card information. This is a huge no-no when it comes to 2FA. If your computer gets a virus, then the perpetrator is inevitability going to be able to get your credit-card information. And some security questions are guessable(e.g: Favourite Food?, First Teacher?, etc.).

The Ugly

And boy, is what I found ugly.

Nothing other than what I found constitutes as ugly for Paypal's 2FA programme -- Good Job Paypal!

A complete 2FA bypass is what I found. Yes, really. You completely bypass the page, and can send money, view/edit personal information, etc. All you need is an email and a password.

eBay, in conjunction with Paypal, provide a service as to where you can link your eBay account to your Paypal account, and when you sell something on eBay, the fees automatically come out of your Paypal account.

When setting this up, you're (obviously) asked for your Paypal login.

Linking the two accounts

Login Page

When you are redirected to the login page(above), the URL contains "=_integrated-registration". Doing a quick Google search for this shows that it isn't used for anything other than eBay; thus it is setup purely for Paypal&eBay.

Once you're actually logged in, a cookie is set with your details, and you're redirected to a page to confirm the details of the process. And this is where the exploit lies. Now just load http://www.paypal.com/ , and you are logged in, and don't need to re-enter your login.

So, the actual bug itself is that the "=_integrated-registration" function does not check for a 2FA code, despite logging you into Paypal.

You could repeat the process using the same "=_integrated-registration" page unlimited times.

I originally found this on the 5th of June, 2014, and reported it to Paypal the same day.

I have also uploaded a demonstration of it on YouTube.

==Found: 5th June 2014==
==Reported: 5th June 2014==
==Response: 27th June 2014==
==2nd Response: 27th June 2014==
==3rd Response: 4th July 2014==

Since there has been no fix yet(August 5th), I've decided to release this.

You can try it out, by logging into Paypal here: https://www.paypal.com/cgi-bin/webscr?cmd=_integrated-registration&key=0&stamp=1364194631&data=JGHnP2g2ybqbgKfR7%2B1loOlg24LvI/VppQIqFE8DyTO9hqc1x1pQw42CCLy3EdEogm85LYOTKtU2wYNfjFZvuHSx4PjAHLVtlv6sYdPl2FIBLN7BNr3l%2BPe0WPeDhopUWqhw0PYE9EAyZPkgIZWJgWKGGGNPqdQRjlbNGoCCIox7RLfKmtEDeH8KXEOzZDSmvETO%2B7fkoy06CLe9CkJhE0V8Mh9QN/wNYIF6WMFgHsze7RAS8Qe3j/U9I9zYXDPcfB2L5AVCYI53jcWUOxeKXSlcoV0eIcxkLOkLfmSqnaY9vywEQEhEU2PYoKSqefaZBPFh6Y7kWXVD/7id8PvkrJzKaCUq0nhBRfFGtf1kYrK0ZgX%2Byws4HmiTn4GEL/gaUPtpWviP4BCJmeGOhzQEhbFNYwzuzmOWAaqYfsa62DsAcq3LUy1DyAmBfsLhwzRyzZhKlg1NRz5MxTsuBqlh72W6ytc1gEMwh%2BJtBxZTf7EggIaTRLdpjXMlZmwRjkMH2BjX8P4968XicykzmLhTpqpg507flV%2Belq3QNBd9cAliSskS3n/%2Bd1os7FQBnogr4tZ7srcTkoPM5nezXqz3caE/loqoJnkWvlRYfNJpSSysjQ%2BThTgiwNtk4eh8X2r3LhepLD27KdM7I299%2BnWVF9veVjw625ZT%2B3MyQMiO7FbMJdng5baW%2BZIRFIear2GlEJVXMlftP3ibMJAmzGrnKqB0sPwY3augnaBNnz4u32QAaxg8zhvz5FEaELdpFxJ4ptLdRc2MFUBFkUDm%2B5tlpuNl9JzgKTDQnXzYxX/2KYAznivHTlsCcwH68kL6EqoiGGTsFoLzp8TqnLvizULu6tdfnTAhhxV6kCeRRoyN/a62wahvxDibJgTnTjp4d3/xm4nhkQhQ5/xUgtAN9T1aa7n5PinOWS84AOFR0TB3KpwHsQkoQCGXvzdYZh4wD8ECQzYS9lbpaCLm13GqPGK4xC6K2vat8/gt9uoiJbiy77SK2PcMhcRS3KbK9Z0HtDCl&ev=1.0&locale=en_US

(For the love of security, please make sure the page you go to is https://www.paypal.com/...)
Once you login(don't press return to eBay), go to paypal.com.

Update: It has been patched on the 12th of August. "Surprise?"



Overall, Paypal's 2FA programme is pretty good. Compared to others, it is fairly secure and worth using. Despite the occasional outages in the SMS service, it  doesn't stop usability of the Paypal service.

I rate it a 6/10.(The bypass I found would make it a 0/10, but hopefully they fix that soon.)
-3 for the full bypass, and -1 for the security questions problem.

Despite being a 6/10, I still recommend everybody uses it. It can be enabled here: https://www.paypal.com/securitykey


  1. Phishing is behind 91% of all account breakins, and 2FA does not stop phishing (they're just as happy stealing your password ALONG WITH your login code, and a second code too if they need it to disable 2FA after they're in...).

    So given that 2FA solves less than 9% of the problem it should never be able to rate higher than a 1/10 score!

  2. Thanks for sharing! Nice post!

    Máy ru võng tự động hay máy đưa võng tự động hay may dua vong em be giúp bé ngủ ngon mà may dua vong ts không tốn sức ru võng. Võng tự động hay võng đưa tự động chắc chắn, gọn gàng, dễ tháo xếp, dễ di chuyển và may dua vong dễ dàng bảo quản.
    Chia sẻ mẹ trẻ em có nên ăn trứng vịt lộn hay trứng ngỗng cho bà bầu hay giải mã giấc mơ thấy người chết hay cách chống nắng bằng trà xanh hay Collagen trị mụn được không hay chữa mất ngủ bằng gừng đơn giản, bí quyết làm trắng da bằng cà phê và dầu dừa hay giảm cân nhanh bằng gạo lứt hq hay mẹo giúp tăng cường trí nhớ hiệu quả, những thực phẩm giúp cải thiện trí nhớ hiệu quả, hay bệnh viêm khớp không nên ăn gì hay mẹo giúp giảm độ cận thị cho bạn, bí quyết chống nắng với cà chua cực hiệu quả, cách giúp bé ngủ ngon giấcthực phẩm giúp bé ngủ ngon mẹ nên biết, chia sẻ cách làm trắng da toàn thân bằng thực phẩm, những món ăn chữa bệnh mất ngủ hiệu quả.
    Những thực phẩm tốt cho tại http://thucphamtotcho.blogspot.com/
    Những thực phẩm tốt cho da tại http://thucphamtotchoda.blogspot.com/
    Chăm sóc da mặt ở http://chamsocdamato.blogspot.com/
    Cách chăm sóc da mặt bằng http://cachchamsocdamatbang.blogspot.com/
    Dạy trẻ sơ sinh tại http://daytresosinh.blogspot.com/
    Bí quyết giảm cân hay tại http://biquyetgiamcanhay.blogspot.com/