Recently, mobile security consultant Henry Hoggard found himself in a hotel room, needing to make a payment via PayPal. However, there was no phone signal, so he wasn’t able to receive his two-factor authentication token via text message. Hoggard had to think outside of the box.
In the event that a user can’t receive their authentication token, PayPal offers up their security question as an alternative. Upon being given this option, Hoggard quickly discovered a major flaw in the service’s security efforts, according to a report from analyst Graham Cluley.
Hoggard discovered that he could use a proxy to remove certain elements from the post data associated with the security question. By doing so, he could trick PayPal into thinking that he’d answered the question, no matter what he entered into the field, thereby rendering the multifactor authentication protection useless.
Fortunately, Hoggard alerted PayPal to the problem, and the company has now fixed the gap in its security measures. The researcher received a bounty for his part in addressing the issue — and, more importantly, users can be safe in the knowledge that multifactor authentication is being used to its intended effect.
It’s worth noting that an attacker would have needed to know the user’s password in order to actually take advantage of this weakness. That being said, it’s still surprising that such a major online payments service would find this kind of gap in its defenses.