Pierluigi Paganini June 26, 2014

Security experts at Duo Security have discovered a serious flaw in the implementation of two-factor authentication which allow attackers to bypass it.

Two-factor authentication processes if flawed could give to companies a false sense of security even if we are discussing of PayPal. In the past we have explained how to by-pass Two-factor authentication in various ways, for example, using a malware or exploiting a flaw in the process itself.

The implementation of two-factor authentication made by PayPal is flawed and an attacker can elude it for the service and transfer money from a victim’s account to any recipient he chooses. The disconcerting discovery was made by security researchers at Duo Security which have found a flaw in the PayPal authentication mechanism for mobile apps for iOS and Android.

The vulnerability is in the PayPal Security Key, PayPal two-factor authentication implementation sends a one-time code to enter after typing user’s credentials, the problem is that on a mobile client the security feature has never worked.

“This is a really unfortunate implementation of two-factor because it damages what benefits it offered,”  “An attacker only needs a victim’s PayPal username and password in order to access a two-factor protected account and send money. The protection offered by the two-factor Security Key mechanism can be bypassed and essentially nullified,” Zach Lanier, a senior security researcher at Duo Security, wrote in his explanation of the vulnerability and its effects.

PayPal is aware of the security issue since March and it has already provided a temporary fix, but the company hasn’t yet planned the release of a full patch. According to the experts at Duo Security, the vulnerability may have been present in the mechanism since the launch of the first PayPal mobile app in 2008.

“While PayPal’s mobile apps do not currently support 2FA-enabled accounts, it is possible to effectively trick the PayPal mobile applications into ignoring the 2FA flag on the account, subsequently allowing the an attacker to log in without requiring secondary authentication.”

The experts have developed a proof-of-concept app that is able to exploit the vulnerability, when a user with two-factor authentication enabled signed in via the mobile app, they were briefly logged in before the server sends him a message to inform him that he could not continue as the feature was not compatible with mobile.

All is started with the amazing discovery of expert Daniel Blake Saltman, which noticed that using the flight mode to quickly turn off connectivity when the user was logged in, and then switching it back on again, the user remained logged in, thereby bypassing the 2FA mechanism.

But by simply turning off connectivity in that brief gap when the user was logged in, and then switching it back on again, the user remained logged in, thereby bypassing the second factor of authentication.

The researchers have built an app that is able to trick the PayPal API into thinking that the mobile app was accessing an account that doesn’t have 2FA enabled. The application designed by Duo Security is able to invoke two distinct APIs at PayPal, one which manages the authentication process and a second one that handles the money transfer after login.

Experts have written a small Python program to mimic the behavior of the mobile app, they discovered that a “session token” was sent by the PayPal API server to the app confirming the user was logged in. The program written is able to perform the following operations:

1. Authenticate to api.paypal.com
2. Display some limited account information (including the “wallet,” or linked fund sources, such as bank accounts and debit/credit cards)
3. Read the “session_token” value
4. Use “session_token” to authenticate to mobileclient.paypal.com and proceed with the steps to initiate and complete sending funds to the target recipient

“As it turned out, “session_token” is used for authorization againstmobileclient.paypal.com, an otherwise (publicly) undocumented SOAP-based API that provides additional account-related functionality, including but not limited to sending money.

We then stepped through the “send money” process in the mobile apps, again capturing traffic with Burp. Through this, we were able to observe the necessary requests/responses and SOAP envelopes (read: painful XML) that make up a PayPal fund transfer from their mobile applications. The funds transfer process turned out to be a four-step exchange, with each request requiring a value unique to the overall transaction.” reports Duo Security.

To preserve its clients PayPal stopped returning the session tokens for security key-enabled accounts, thereby stopping anyone logging in. PayPal has anticipated to Duo Security firm that the flaw in the two-factor authentication mechanism will be definitively fixed on July 28th.

PayPal confirmed that they have adopted necessary countermeasures to secure all their accounts.

“As a precaution we have disabled the ability for customers who have selected 2FA to log in to their PayPal account on the PayPal mobile app and on certain other mobile apps until an identified fix can be implemented in the next few weeks,” a PayPal spokesperson said.

Pierluigi Paganini

(Security Affairs –  PayPal, two-factor authentication)