An Australian teen has discovered a major security flaw in online payment service, Paypal, the Sydney Morning Herald reports.



​The 17-year-old schoolboy, Joshua Rogers found that a flaw in the system's security allowed hackers to bypass the two-factor authentication system, allowing them to use accounts that don't belong to them to purchase items online or even withdraw money sitting in their accounts, journalist Ben Grubb revealed.

He even linked to a YouTube video (below) which demonstrated exactly how it works.

The teen told the SMH he could have earned a cash reward for the discovery, if only he had contacted it privately and kept his mouth shut publicly. But Rogers said the probelm was too serious to be ignored and that waiting for PayPal to respond would have taken too long. He instead opted to blog publicly about the rather worrying glitch.

He said he didn't care about the money, he just wanted "to speed them up in fixing it".

PayPal responded by saying that the problem was "contained" and affected only "a small number of customers" , because two-factor authentication is a security measure used by only 0.27 per cent of its Australian users.

It is unclear at this stage whether international PayPal customers are affected.



"We are working hard to address this issue with a small amount of integrations with Adaptive Payments, which we expect to be resolved soon," a spokesman said.

The company added it also used other factors - like IP address confirmation - in order to verify customers' identities and prevent fraud.

In the event fraud was ever committed, PayPal said it would refund the affected users the full amount.



This is not the first time the teenager has revealed major security flaws. Victorian police recently issued a search warrant for the teenager's family home and computer in May after he hacked the Public Transport of Victoria's Metlink online store to reveal a database containing approximately 600,000 entries of customer information, including credit card numbers, addresses, mobile numbers, email addresses and more.



Read the full story at the Sydney Morning Herald.