27 June 2014

PayPal Security Flaw Revealed - What You Must Know


In yet another case of a security flaw at what is thought to be a safe site, researchers have found that it’s possible for mobile users to bypass PayPal’s two-step authentication process, which sends a code to a user’s cellphone to ensure that the person logging in is who he or she claims to be.


Security Vulnerability Revealed

Duo Security researchers unveiled a vulnerability in PayPal's two-factor authentication system that allows attackers to bypass the security system and make unauthorised payments from a user's account.

According to the Michigan-based two-factor authentication security research team, Duo Labs, the vulnerability lies in the authentication flow for the PayPal API web service, which is an API used by PayPal's official mobile applications, as well as third-party merchants and apps.

In a blog post, Duo Security said it waited until PayPal had put a workaround in place before publicly unveiling the vulnerability.

"As of the date of this post (June 25), PayPal has put a workaround in place to limit the impact of the vulnerability, and is actively working on a permanent fix," the post said. "In light of the vulnerability reporting timeline and the trivial discoverability of the vulnerability, we have elected to publicly disclose this issue, so that users can be informed to the risks to their PayPal accounts."

According to Duo Security, all an attacker needs is a victim's PayPal username and password to access a two-factor protected account and send money, with the protection offered by PayPal's two-factor Security Key mechanism bypassed and effectively nullified.

Duo Labs discovered that, although PayPal's mobile apps do not support 2FA (two-factor authentication)-enabled accounts, it was possible to effectively "trick" PayPal mobile applications into ignoring a 2FA flag on an account, subsequently allowing an attacker to log in without requiring secondary authentication — which is usually sent either to a user's mobile phone or a credit-card sized security code device.

The security research team was able to leverage the lack of 2FA enforcement by interfacing with the PayPal API directly and effectively mimic the payment platform's mobile app as though it were accessing a non-2FA account.

Duo Labs' proof-of-concept Python script exploit was able to communicate with two separate PayPal API services — one to authenticate, and the other to transfer money to another account destination.

While the standard browser-based PayPal web interface was not affected by the bypass, according to Duo Security, an attacker can use the underlying API to gain full account access.

Duo security said that, as of re-testing on June 23, PayPal had implemented a workaround, with a permanent fix slated for 28 July.

Duo Labs senior security researcher Zach Lanier says Duo began investigating the PayPal issue after a friend of the Michigan-based security firm’s CEO realized he could bypass the two-factor system on his own account in March. Duo sent more information on the flaw to PayPal, and Lanier says the company dragged its feet.

PayPal Responds

In a statement posted on its PayPal Forward Community page, PayPal's senior director of global initiatives, Anuj Naya, said that despite the vulnerability, "all PayPal accounts remain secure".

"The workaround identified by the researcher is related to an extra layer of security (2FA) some customers have chosen to add to their PayPal account," said Naya. "Customers who do not use the PayPal security key (physical card or SMS codes) as an additional step to log into their accounts are not impacted in any way.

"If you have chosen to add 2FA to your PayPal account, your account also remains secure and 2FA will continue to operate as usual on the vast majority of PayPal product experiences. Even though 2FA is an additional layer of authentication, PayPal does not depend on 2FA to keep accounts secure."

Last month, PayPal's parent company, eBay, informed customers of a massive privacy breach, announcing on 21 May that it had been subject to an attack that compromised a database holding non-financial data.

The company told its users to change their passwords, despite indications that it had not found any evidence to indicate unauthorised activity in customers’ accounts.

According to eBay, the attack saw its employee login credentials compromised as early as late February and early March, allowing access to its corporate network and customer database.

New day, new breach. The Identity Theft Resource Center counts more than 350 breaches for just this year, exposing more than 10 million records. And in April, a widespread Internet bug called Heartbleed was discovered, unveiling a major security hole in two-thirds of websites. At that time, experts said that two-step authentication was crucial to protecting data.

Culled from: ZDNet and MarketWatch

No comments:

Post a Comment