A security feature offered by PayPal to help prevent accounts from being taken over by hackers can be easily circumvented, an Australian security researcher has found.
PayPal users can elect to receive a six-digit passcode via text message in order to access their accounts. The number is entered after a username and password is submitted.
The security feature, known as two-factor authentication, is an option on many online services such as Google and mandatory on many financial services websites for certain kinds of high-risk transactions. Since the code is sent offline or generated by a mobile application, it is much more difficult for hackers to intercept although by no means impossible.
Joshua Rogers, a 17-year-old based in Melbourne, found a way to get access to a PayPal account that has enabled two-factor authentication. He published details of the attack on his blog on Monday after he said PayPal failed to fix the flaw despite being notified on June 5.
By going public with the information, Rogers will forfeit a reward usually paid by PayPal to security researchers that requires confidentiality until a software vulnerability is fixed. Rogers estimated the reward might be around US$3,000, although PayPal didn't give him a figure.
"I don't care about the money, no," he said via email. "Money isn't everything in this world."
The attack requires a hacker to know a person's eBay and PayPal login credentials, but malicious software programs have long been able to easily harvest those details from compromised computers.
The fault lies in a page on eBay that allows users to link their eBay account with PayPal, which eBay owns. Linking the accounts creates a cookie that makes the PayPal application think the person is logged in, even if a six-digit code has not been entered, Rogers wrote on his blog.
The problem lies specifically in the "=_integrated-registration" function, Rogers wrote, which does not check to see if the victim has two-factor authentication enabled. An attacker could repeatedly gets access to the PayPal account by linking and de-linking the eBay and PayPal accounts of a person, he wrote. He posted a video of the attack on YouTube.
PayPal officials could not be immediately reached for comment.
The payment processor's two-factor authentication could potentially be defeated in other ways. For example, if a user doesn't have a way to receive the six-digit code, PayPal allows them to skip it and instead answer two security questions.
Those questions, which include "What's the name of your first school?" and "What's the name of the hospital in which you were born?" arguably aren't difficult ones for a hacker who has been profiling a victim to answer.
Sign up for CIO Asia eNewsletters.