Skip to main content

PayPal fixed a major problem with its multifactor authentication protection

Multifactor authentication has become much more commonplace in recent years, with many experts pointing to the technique as a good method of keeping personal information safe online. However, not all implementations of multifactor authentication are created equal, and it seems that PayPal’s usage didn’t cut the mustard until very recently.

Recently, mobile security consultant Henry Hoggard found himself in a hotel room, needing to make a payment via PayPal. However, there was no phone signal, so he wasn’t able to receive his two-factor authentication token via text message. Hoggard had to think outside of the box.

Recommended Videos

In the event that a user can’t receive their authentication token, PayPal offers up their security question as an alternative. Upon being given this option, Hoggard quickly discovered a major flaw in the service’s security efforts, according to a report from analyst Graham Cluley.

Hoggard discovered that he could use a proxy to remove certain elements from the post data associated with the security question. By doing so, he could trick PayPal into thinking that he’d answered the question, no matter what he entered into the field, thereby rendering the multifactor authentication protection useless.

Fortunately, Hoggard alerted PayPal to the problem, and the company has now fixed the gap in its security measures. The researcher received a bounty for his part in addressing the issue — and, more importantly, users can be safe in the knowledge that multifactor authentication is being used to its intended effect.

It’s worth noting that an attacker would have needed to know the user’s password in order to actually take advantage of this weakness. That being said, it’s still surprising that such a major online payments service would find this kind of gap in its defenses.

Brad Jones
Brad is an English-born writer currently splitting his time between Edinburgh and Pennsylvania. You can find him on Twitter…
Upgrade to this Alienware 4K QD-OLED gaming monitor while it’s $300 off
Cyberpunk 2077 being played on the Alienware 32 QD-OLED.

The powerful machine you purchased from gaming PC deals should be paired with a premium display, and the 32-inch Alienware 4K QD-OLED gaming monitor comes with our stamp of approval. It's also on sale from Dell right now, with a $300 discount slashing its price from $1,200 to only $900. That's a steal when you consider the capabilities of this screen, so you're going to have to hurry with your purchase as stocks may run out at any moment.

Why you should buy the 32-inch Alienware 4K QD-OLED gaming monitor

Read more
Living without antivirus? Grab Avast Premium while it’s 70% off
A couple on a couch using a tablet.

I've been using the free version of Avast antivirus software for well over a decade now. It's always among the first batch of downloads I grab when I get a new laptop. Our reviewers even gave Avast One for Mac a 9 out of 10 review. But this week, Avast has a compelling offer that will convince freeloaders like me to get the paid version of Avast.

Right now, Avast Premium has an incredible 70% discount. That drops the price of one device from $80 per year to $23.40, or just under $2 per month. If you want to cover 10 devices, the price is only slightly higher, at $30 per year, or $2.50 per month. If you've been using the free version of Avast for a while, or you haven't been using antivirus software at all, this is a deal you need to check out.

Read more
Why macOS Tahoe is a big deal for Intel Macs
Apple unveiling macOS Tahoe at WWDC 2025.

Apple’s WWDC event kicked off on Monday with the usual slew of fresh announcements and updates showcasing the company’s software plans for the year ahead.

And as with every WWDC keynote, the upcoming shift to new software also signaled diminishing support for older Apple devices.

Read more