Now it's PayPal's turn: two factor authentication is hackable

Joshua Rogers teenage hacker find PayPal vulnerability

An Australian researcher has found a way to get around a security feature that is offered by PayPal to prevent hackers doing just that.

PayPal has a two factor authentication system that it offers users who can choose to have a six digit code texted to them to give them access to their accounts. The number is then used after the username and password have been entered. The objective of two factor authentication is make it difficult for hackers to intercept access passwords and codes by circumventing online access by issuing a code offline, ie, a text message (yes, that is considered offline in this instance).

Related: Weaponizing cats: one hacker takes it too far

However, a 17 year old in Melbourne, Australia, Joshua Rogers, has found a way around a two factor authenticated PayPal account. Usually, Rogers would have been eligible for a $3,000 reward that PayPal gives to security researchers who identify vulnerabilities and keep it a secret until it is fixed. However, Rogers chose to go public with his findings saying that PayPal was told on June 5 about the flaw and failed to fix it.

The hack that Rogers discovered does require a hacker to have someone's EBay and PayPal logins, which are relatively easy to harvest from compromised computers.

According to Rogers, eBay provides a service that links your eBay account to your PayPal account so that when you sell something on eBay it can deposit the fee automatically in your PayPal account.

The problem is that the process allows you to be logged in to both eBay and PayPal and does not require you to have two factor authentication of your PayPal account, despite you being logged into PayPal. 

Related: So change your eBay and PayPal passwords already

A cookie that is unique to this combo set-up on eBay's pages means that you are logged into PayPal devoid of any further security hinderance and all it takes is for you to jump from eBay to your PayPal page and you will see that fact verified.

Rogers is well known in Australia for his exploits. He has, in the past, had to be cautioned by the police to avoid a hacking charge.  He had discovered a vulnerability in the website of Public Transport Victoria (PTV) which runs the state's transport system and Rogers had gained access to 600,000 accounts on there. 

Rogers did inform the agency and did nothing else. They reported him to the police, naturally. Kids! Stay off our damn website, I guess.

Joe Jejune

I am a gadget freak and love everything about technology. In my day job I work at a startup and help build applications for the healthcare industry. 


Wishing Harrison Ford Well

As we’ve all heard by now, Harrison Ford had a crash in a private plane on a Santa Monica golf course. While he definitely got banged up, he was able to walk away from the crash. As USA Today reports, Ford was flying a vintage World War II plane, which apparently had engine trouble, and had to make an emergency landing on the previously mentioned golf course. “He was banged up and is in the hospital receiving medical care. The injuries sustained are not life threatening, and he is expected to make a full recovery.” Ford’s son Ben, who is a chef, tweeted, “Dad is ok. Battered, but ok! He is an...

Will Supergirl Fly?

The latest superhero TV series could debut on CBS this fall

Big Bang Theory Pays Tribute to Leonard Nimoy

We still miss the guy