A nice writeup and demonstration video from Duo Sec showing some problems with PayPal two-factor authentication.

We developed a proof-of-concept exploit to leverage this lack of 2FA enforcement, interfacing with the PayPal API directly and effectively mimicking the PayPal mobile app as though it were accessing a non-2FA account. The exploit communicates with two separate PayPal API services — one to authenticate (only with primary credentials), and another to transfer money to a destination account.

It appears that the PayPal mobile app authenticated to the back-end API, and received a valid session token, along with (for two-factor-enabled accounts) a flag indicating that the account was 2FA-enabled. Of course, at this point that was irrelevant since the back-end has already accepted and confirmed the authentication request, even without the two-factor interaction.

Duo were able to create a nice Python script that exploited this vulnerability, to log in and send money, all without triggering the two-factor verification. (They still needed the user’s original userid and password, though).

It looks like it took a while, but PayPal were able to roll out most of the needed mitigations, though some issues may still remain.

Check out the link for a great writeup and nice video from @quine.