A reader alerted us to a report of another security vulnerability on PayPal, saying he had tested the method described by a search-engine marketing services company located in Texas.
“I saw your post last month about the security vulnerability that was found on PayPal.com (link). There’s a much bigger one that Internet marketing firm Escalate Internet just disclosed publicly: link.”
The Escalate Internet website, which now appears to be accessible only by signing in with a password, said its CEO Chase Watts had discovered that it was indeed possible to bypass PayPal’s two-step authentication.
“While security exploits are not uncommon in today’s times, they normally require a decent amount of knowledge. However, this vulnerability could be executed by the average Internet user, within a matter a minutes,” the company wrote.
“As of the date of this post (August 1, 2014), this exploit continues to exist. Due to the severe nature of this vulnerability, we have decided to publicly disclose it to inform PayPal users of the risk.”
A PayPal spokesperson released the following statement in response to our inquiry:
We are aware of a two-factor authentication (2FA) issue that is limited to a small amount of integrations with Adaptive Payments. 2FA is an extra layer of security some customers have chosen to add to their PayPal accounts. We are working to get the issue addressed as quickly as possible. It is important to clarify that 2FA provides extra assurance to keep accounts secure, however usernames and passwords are still required to gain access to all PayPal accounts.
Customers who do not use the PayPal security key (physical card or SMS codes) as an additional step to log into their accounts are not impacted in any way. If you have chosen to add 2FA to your PayPal account, your account will continue to operate as usual on the vast majority of PayPal product experiences. We have extensive fraud and risk detection models and dedicated security teams who work to help keep our customers’ accounts secure from fraudulent transactions, everyday. We apologize for any inconvenience caused to affected customers who use our 2FA process and we will continue to work hard to address this issue.
Other outlets picked up on a report from an Australian blogger who also said he had poked holes in PayPal’s two-factor authentication – see this report from PC World.