Friday, 27 June 2014

Paypal's 2-Factor-Authentication(2FA): The Good, The Bad, And The Ugly. (Incl. full 2FA bypass without security questions)


Paypal, like many other services, offer 2-Factor-Authentication in an attempt to strengthen the security of users' accounts. As noted on Paypal's website, "The security key gives you an extra layer of security when you log in to your PayPal account. It creates random security codes to use along with your regular username and password."

Paypal provides two ways of using this service; through a one-time code sent as an SMS to your mobile phone, or through a physical, creditcard sized code generator.(Or optionally, a VeriSign ID Protection key, which you can set-up on your phone for free here.)

An example of Paypal's security-card

Paypal's implementation of 2FA has been heavily scrutinized[1] again[2] and again[3] due to the lack of apparent security surrounding it. They allow security questions to be used to bypass the blockade of not having access to your 2FA device, and sometimes even when you do have access to your device, the code just doesn't work.

In this article, I'll be detailing "The good, the bad, and the ugly" of Paypal's 2FA programme. This includes what works, how it works, how it doesn't work, and security implications(full disclosure: there is/was a complete bypass for the 2FA without security questions.)

Personally, I use the SMS version of Paypal's 2FA, thus I can only directly comment on that. Nonetheless, I'll reference a few articles in regard to their creditcard sized number generator, and the VeriSign key generator.

The Good

Despite the bad publicity and the bad advertisement(not many people know Paypal supports 2FA), Paypal's implementation of 2FA is pretty good.

When you login to the website, it forwards you to a page that asks you for your security token. Multiple phone numbers can be used for the SMS service.

Logging in as per usual
2FA Page

You can choose which phone number Paypal will SMS, and it will send you an SMS to the respective number.

The actual implementation of this process is that when you initially login, you're not actually logged in; you're simply given a 'context' cookie set, which later is used to initiate the real login phase.

Paypal blocks brute-force attacks of the 6-digit code by locking you out after 5 attempts, requiring you to enter personal information to unlock it.

A common security over-sight when it comes to 2FA is that it is bypass-able by using the application's mobile App. Paypal doesn't suffer from this, thus is secure in that sense. ---- Apparently that wasn't 100% true.

SMS 2FA codes also expire after 5-minutes, thus cannot be re-used.

The Bad

Although there aren't too many problems with Paypal's 2FA programme, they still do exist.

Personally, using the SMS service, the only problem I have had is the fact that sometimes the SMS is delayed, and doesn't arrive within the 5-alloted-minutes that you are given to enter it. Re-sending it usually doesn't fix this either, and they all just send at the same time(thus spamming your phone).

Noted by many, Paypal offers an option to bypass the 2FA procedure by entering in security questions, or your credit-card information. This is a huge no-no when it comes to 2FA. If your computer gets a virus, then the perpetrator is inevitability going to be able to get your credit-card information. And some security questions are guessable(e.g: Favourite Food?, First Teacher?, etc.).

The Ugly

And boy, is what I found ugly.

Nothing other than what I found constitutes as ugly for Paypal's 2FA programme -- Good Job Paypal!

A complete 2FA bypass is what I found. Yes, really. You completely bypass the page, and can send money, view/edit personal information, etc. All you need is an email and a password.

eBay, in conjunction with Paypal, provide a service as to where you can link your eBay account to your Paypal account, and when you sell something on eBay, the fees automatically come out of your Paypal account.

When setting this up, you're (obviously) asked for your Paypal login.

Linking the two accounts

Login Page

When you are redirected to the login page(above), the URL contains "=_integrated-registration". Doing a quick Google search for this shows that it isn't used for anything other than eBay; thus it is setup purely for Paypal&eBay.

Once you're actually logged in, a cookie is set with your details, and you're redirected to a page to confirm the details of the process. And this is where the exploit lies. Now just load , and you are logged in, and don't need to re-enter your login.

So, the actual bug itself is that the "=_integrated-registration" function does not check for a 2FA code, despite logging you into Paypal.

You could repeat the process using the same "=_integrated-registration" page unlimited times.

I originally found this on the 5th of June, 2014, and reported it to Paypal the same day.

I have also uploaded a demonstration of it on YouTube.

==Found: 5th June 2014==
==Reported: 5th June 2014==
==Response: 27th June 2014==
==2nd Response: 27th June 2014==
==3rd Response: 4th July 2014==

Since there has been no fix yet(August 5th), I've decided to release this.

You can try it out, by logging into Paypal here:

(For the love of security, please make sure the page you go to is
Once you login(don't press return to eBay), go to

Update: It has been patched on the 12th of August. "Surprise?"



Overall, Paypal's 2FA programme is pretty good. Compared to others, it is fairly secure and worth using. Despite the occasional outages in the SMS service, it  doesn't stop usability of the Paypal service.

I rate it a 6/10.(The bypass I found would make it a 0/10, but hopefully they fix that soon.)
-3 for the full bypass, and -1 for the security questions problem.

Despite being a 6/10, I still recommend everybody uses it. It can be enabled here: