



What is Two-factor Authentication

Impact of the Vulnerability

Technical details





Researcher have used Burp tool to intercepted HTTP/HTTPS traffic between the PayPal mobile apps and remote PayPal web services to analyzed how the service responded to 2FA-enabled accounts versus non-2FA-enabled accounts.





On Analyzing researchers found a JSON dictionary that was returned containing some additional PayPal service URIs, various tokens (primarily OAuth-related), and some 2FA-related attributes.













As researcher was using Burp tools, they have used match-and-replace feature of tool to modify the some of the data, and rewrite the “2fa_enabled” value to “false”.









With the simple modification on data, the mobile clients would then proceed as normal, as there was no two-factor authentication enabled on account. Although the underlying vulnerability is present on the server-side, this tweak amounted to client-side “enforcement” of 2FA.





With that modification, attacker have successfully logged in to the victims account. But further more researcher have discovered that additional session identifier being returned in the JSON dictionary, as highlighted below.













Further more, researcher have stepped forward there attack to "Send Money", and for this have crafted a Python script exploit which exploited the vulnerability and leads to success in sending money from victims accounts.





POC: Demonstrate VIDEO

For the POC, researcher have also made a demonstrating Video of the Flaw









Till yet the Vulnerability is not fully fixed yet, but in a statement posted on its PayPal Forward Community page, PayPal's senior director of global initiatives, Anuj Naya, said that despite the vulnerability, "all PayPal accounts remain secure".





Credits:-





Researcher of advanced research team "Duo Security" have discovered the way to bypass Paypal's two-factor authentication (2FA). The vulnerability lies primarily in the authentication flow for the PayPal API web service (api.paypal.com) — an API used by PayPal’s official mobile applications, as well as numerous third-party merchants and apps — but also partially in the official mobile apps themselves.As on the blog-post researcher says that the vulnerability is not fully patched in the Paypal's system, but Paypal team is working to fixed it permanently,.Two Factor Authentication, also known as 2FA, two step verification or TFA (as an acronym), is an extra layer of security that is known as "multi factor authentication" that requires not only a password and username but also something that only, and only, that user has on them, i.e. a piece of information only they should know or have immediately to hand - such as a physical token.Researcher added, the vulnerability exist in the Paypal mobile application and the web interface is not affected by the bypass vulnerability With the 2FA bypass attacker can do every thing from the victims account, as like sends money to attackers account.Researcher have developed a proof-of-concept exploit to leverage this lack of 2FA enforcement, interfacing with the PayPal API directly and effectively mimicking the PayPal mobile app as though it were accessing a non-2FA account. The exploit communicates with two separate PayPal API services — one to authenticate (only with primary credentials), and another to transfer money to a destination account.The vulnerability lies primarily in the authentication flow for PayPal’s API web services. In particular, api.paypal.com, a REST-ful API which uses OAuth for authentication/authorization, does not directly enforce two-factor authentication requirements server-side when authenticating a user.Note the red highlight around the “” attribute. As it turned out, the value of this attribute being set to “” caused the mobile application to return to the login screen and display an error message, indicating that 2FA was not currently supported. This error message was observed on both Android and iOS Paypal Apps.As it turned out, “session_token” is used for authorization againstmobileclient.paypal.com, an otherwise (publicly) undocumented SOAP-based API that provides additional account-related functionality, including but not limited to sending money.