Now it's PayPal's turn: two factor authentication is hackable

Joshua Rogers teenage hacker find PayPal vulnerability

An Australian researcher has found a way to get around a security feature that is offered by PayPal to prevent hackers doing just that.

PayPal has a two factor authentication system that it offers users who can choose to have a six digit code texted to them to give them access to their accounts. The number is then used after the username and password have been entered. The objective of two factor authentication is make it difficult for hackers to intercept access passwords and codes by circumventing online access by issuing a code offline, ie, a text message (yes, that is considered offline in this instance).

However, a 17 year old in Melbourne, Australia, Joshua Rogers, has found a way around a two factor authenticated PayPal account. Usually, Rogers would have been eligible for a $3,000 reward that PayPal gives to security researchers who identify vulnerabilities and keep it a secret until it is fixed. However, Rogers chose to go public with his findings saying that PayPal was told on June 5 about the flaw and failed to fix it.

The hack that Rogers discovered does require a hacker to have someone's EBay and PayPal logins, which are relatively easy to harvest from compromised computers.

According to Rogers, eBay provides a service that links your eBay account to your PayPal account so that when you sell something on eBay it can deposit the fee automatically in your PayPal account.

The problem is that the process allows you to be logged in to both eBay and PayPal and does not require you to have two factor authentication of your PayPal account, despite you being logged into PayPal. 

A cookie that is unique to this combo set-up on eBay's pages means that you are logged into PayPal devoid of any further security hinderance and all it takes is for you to jump from eBay to your PayPal page and you will see that fact verified.

Rogers is well known in Australia for his exploits. He has, in the past, had to be cautioned by the police to avoid a hacking charge.  He had discovered a vulnerability in the website of Public Transport Victoria (PTV) which runs the state's transport system and Rogers had gained access to 600,000 accounts on there. 

Rogers did inform the agency and did nothing else. They reported him to the police, naturally. Kids! Stay off our damn website, I guess.

Joe Jejune

I am a gadget freak and love everything about technology. In my day job I work at a startup and help build applications for the healthcare industry. 


Lenovo’s Powerful Potential Global Market Position

This last week I was with Lenovo going over their server, storage, and networking strategy as they continue their pivot to become one of the last remaining hardware focused vendors in a market more often defined by change than focus these days. One of the things that strikes me as a huge competitive advantage is that unlike most technology companies that are based in either the US or Asia, Lenovo is pretty much evenly balanced between the US and China putting them closer to a future model of being more of a global company than one located in any one country. Let’s explore that this week. The...

Mistakes Businessmen Make When First Promoting Their Startups

Statistics are pretty grim when looking at startups. Most of those launched will fail and the failure percentage is actually a lot higher than many imagine.

Virtual Reality: A Game-Changer for Sports

Virtual reality has the potential to make courtside seats at basketball games affordable for the everyday viewer.