Paypal bypass email verify logins Vulnerability
Risk [Security Risk Critical]
Vendor https://www.paypal.com
Technical Details & Description:
================================
A 2 Factor Authentication Bypass Vulnerability was discovered in the official PayPal website (api) web-application).
This vulnerability allows an attacker to bypass the 2FA mechanism for access to accounts of paypal without verifying in
the basic procedure the identity with confirmation. The security vulnerability is located in the paypal login portals of
uk and the paypal preview. Each Portal is having an issue which can lead to a full bypass once used in a combined way.
If the user have 2FA activated in his account. Whenever an user logs into his account, paypal will ask the
user to verify the identity. Verification can be made via phone number or by confirming the login request
via paypal mobile app (api). The mechanism mainly prevents unauthorized acccess to the account and provides
an extra layer of security.
The login portal of paypal preview is missing verification mechanism in it. When an user is logged in via paypal
preview's login portal, the user is logged in without any verification and the login is successful but there is
no settings or anything of interest. When logged in via paypal uk login portal, it checks if the user account is already
signed in from any other portal or not. Once it checks the user is already logged in via
paypal preview (without verification)
it allows us access to the account without any kind of verification. This is the way how 2FA was bypassed in
paypal due to lack of 2FA protection.
Proof of Concept (PoC):
=======================
PayPal uses an additional layer of security known as 2-Factor Authentication which is used to verify the
user's identity so no unauthorized access would be allowed. The mechanism verifies the user's identity by
calling or messaging a code to phone number or by confirming the login via Mobile App. Without these,
the account will not be accessed. By following the procedure below the 2FA protection can be bypassed:
Site: PayPal ( www.paypal.com )
PayPal UK Login Portal: https://www.paypal.com/uk/cgi-bin/?cmd=_email_receipt
PayPal Preview Login Portal: https://www.paypal.com/webapps/garden/page/garden.form
Steps to reproduce:
1. Open PayPal UK Login Portal in a new tab(keep it open)
2. On the other tab, open PayPal Preview Login Portal
3. Login to your account in the URL which is opened in step 2
4. Enter credentials in the new window which appears
5. Refresh the page which was opened in step 1
6. Now you will be logged, Click on view account button which will lead you to your account and the 2 step verification will be bypassed
Solution - Fix & Patch:
=======================
In every login portals, verification checks must be deployed even if the user is already logged in.
This will prevent unauthorized access to the account.
Security Risk:
==============
This vulnerability allows an attacker to bypass the 2-factor authentication and mobile confirmation
which could lead to unauthorized access.
Risk [Security Risk Critical]
Vendor https://www.paypal.com
Technical Details & Description:
================================
A 2 Factor Authentication Bypass Vulnerability was discovered in the official PayPal website (api) web-application).
This vulnerability allows an attacker to bypass the 2FA mechanism for access to accounts of paypal without verifying in
the basic procedure the identity with confirmation. The security vulnerability is located in the paypal login portals of
uk and the paypal preview. Each Portal is having an issue which can lead to a full bypass once used in a combined way.
If the user have 2FA activated in his account. Whenever an user logs into his account, paypal will ask the
user to verify the identity. Verification can be made via phone number or by confirming the login request
via paypal mobile app (api). The mechanism mainly prevents unauthorized acccess to the account and provides
an extra layer of security.
The login portal of paypal preview is missing verification mechanism in it. When an user is logged in via paypal
preview's login portal, the user is logged in without any verification and the login is successful but there is
no settings or anything of interest. When logged in via paypal uk login portal, it checks if the user account is already
signed in from any other portal or not. Once it checks the user is already logged in via
paypal preview (without verification)
it allows us access to the account without any kind of verification. This is the way how 2FA was bypassed in
paypal due to lack of 2FA protection.
Proof of Concept (PoC):
=======================
PayPal uses an additional layer of security known as 2-Factor Authentication which is used to verify the
user's identity so no unauthorized access would be allowed. The mechanism verifies the user's identity by
calling or messaging a code to phone number or by confirming the login via Mobile App. Without these,
the account will not be accessed. By following the procedure below the 2FA protection can be bypassed:
Site: PayPal ( www.paypal.com )
PayPal UK Login Portal: https://www.paypal.com/uk/cgi-bin/?cmd=_email_receipt
PayPal Preview Login Portal: https://www.paypal.com/webapps/garden/page/garden.form
Steps to reproduce:
1. Open PayPal UK Login Portal in a new tab(keep it open)
2. On the other tab, open PayPal Preview Login Portal
3. Login to your account in the URL which is opened in step 2
4. Enter credentials in the new window which appears
5. Refresh the page which was opened in step 1
6. Now you will be logged, Click on view account button which will lead you to your account and the 2 step verification will be bypassed
Solution - Fix & Patch:
=======================
In every login portals, verification checks must be deployed even if the user is already logged in.
This will prevent unauthorized access to the account.
Security Risk:
==============
This vulnerability allows an attacker to bypass the 2-factor authentication and mobile confirmation
which could lead to unauthorized access.
This review was so good and cool, I never imaging I would be able to get a post like this that is so important about Paypal. Really, over some years I have had people complaining about Paypal, thank you once more for the update you are great in developing contents and informaton.
ReplyDeletehttps://www.tecteem.com/paypal-login/
Post a Comment