Researchers at a security firm discovered a vulnerability in PayPal’s two-factor authentication (2FA) – what PayPal calls the Security Key mechanism. However, as the Guardian newspaper reported, attackers would need a PayPal user’s username and password to compromise accounts, but said “the vulnerability in PayPal Security Key would have made life far easier for hackers looking to steal PayPal users’ funds.”
Researchers at Duo Labs, the research team at Duo Security, wrote about their discovery in a blog post on Wednesday.
“The vulnerability lies primarily in the authentication flow for the PayPal API web service (api.paypal.com) – an API used by PayPal’s official mobile applications, as well as numerous third-party merchants and apps – but also partially in the official mobile apps themselves.”
The Duo Labs researchers said PayPal has put a workaround in place to limit the impact of the vulnerability with a permanent fix planned for July 28. “In light of the vulnerability reporting timeline and the trivial discoverability of the vulnerability, we have elected to publicly disclose this issue, so that users can be informed to the risks to their PayPal account security,” they wrote.
The Guardian said the weakness may have been resident in the software for years.
PayPal responded to the report on a blog post on Wednesday. It emphasized that all PayPal accounts remain secure – “customers who do not use the PayPal security key (physical card or SMS codes) as an additional step to log into their accounts are not impacted in any way” and, “if you have chosen to add 2FA to your PayPal account, your account also remains secure and 2FA will continue to operate as usual on the vast majority of PayPal product experiences.”
PayPal said it does not depend on 2FA to keep accounts secure. “We have extensive fraud and risk detection models and dedicated security teams that work to help keep our customers’ accounts secure from fraudulent transactions, everyday.”