PayPal (News - Alert), the international e-commerce website has garnered over 150 million active users since it’s founding in 1998. It has promised a secure method for transactions to be made and payments to be accepted through the Internet, opening commerce to more remote areas and helping small businesses along the way.
Security has long been an enormous factor for the company and something its user base takes very seriously. In 2012, PayPal was host to $14 billion in transfers. Recently a U.S. based research firm, after some testing and investigation, has called facets of PayPal’s security features “shoddy.”
A common form of security for many years has been a randomly generated security key used to log in to sensitive accounts. PayPal adapted this feature and called it the “PayPal Security Key.” They suggest that this method be used for increase protection from fraud and digital onslaught.
US firm Duo Security has found a weakness that may have been present for years involving PayPal’s two-factor authentication that functions similarly to many others, sending it’s users a one time code to enter after entering their username and password.
More specifically the flaw lay in the mobile version of the website. When users on smartphones signed in via the mobile app, they were able to log in right until the point where a message appeared notifying them that their devices were incompatible with the service and it’s feature.
However, a user found that by simply turning on airplane mode in the moment after the log in but before the error message appears, and then switching it back on, the user remained logged in. This effectively bypassed the entire feature.
This user was Daniel Blake Saltman, a tech entrepreneur who warned PayPal about this flaw on March 28th, and informed Duo Security about it as well. Zach Lanier at Duo Security was able to write a relatively small program built on Python, which mimicked the process of the mobile app and created a sort of attack that fooled the site into thinking that a user was not signed up for the two-step system, even when they were.
The program told PayPal’s API’s that no two-factor authentication system was in use, a “session token” was then sent by the API server to the app, which confirmed a user, was logged in. As a temporary solution PayPal simply stopped returning those tokens. PayPal told Duo the issue would receive a permanent fix on July 28th, though details on what will be done are unavailable.
PayPal has assured its customers that “all PayPal accounts remain secure.”