
PayPal 2FA Bypass - Spydar007
https://henryhoggard.co.uk/blog/Paypal-2FA-Bypass
======
dkopi
Mistakes were made, and there are definitely lessons to be learned, but if we
want to improve the state of security, we really need to change the way we
react to these types of bugs.

If a service has an outage and a company posts a postmortem, we all think:
"wow! that was an interesting bug, lets learn from this". We shouldn't be
treating security issues differently.

People who make security mistakes aren't idiots. They aren't negligent.
They're engineers just like us, who have tight deadlines, blindspots and
mistakes. Shaming people and companies for security bugs will only cause less
transparency and less sharing of information - making us all less secure.

This is a really cool bug. Kudos to the researcher for finding it, responsibly
reporting it, and to paypal for fixing it in a timely fashion. Hopefully -
this type of bug changes some internal processes and the way the company
thinks about 2FA.

As for security questions - these are obviously insecure, and should really
never be relied on. If you can opt out of security questions - do so. If you
can't - just generate a random password as the answer.
"I_ty/:QWuCllV?'6ILs`O12kl;d0-`1" is an excellent name for your first dog /
high school. Just don't forget to use a password manager to store these.

~~~
TeMPOraL
> _If you can 't - just generate a random password as the answer.
> "I_ty/:QWuCllV?'6ILs`O12kl;d0-`1" is an excellent name for your first dog /
> high school. Just don't forget to use a password manager to store these._

Be wary of social engineering attacks though.

\- <support on the phone> I'd also need you to provide me an answer to your
security question. What was your first dog's name?

\- <me> Oh, you know, it's a long string of random characters I generated, I'd
have to give them to you one by one...

\- <support> (looks at the answer) uh, right. I see. Let's continue then.

~~~
dexterdog
I always fill all social engineering-vulnerable questions with nonsense,
especially when it is a banking site. I like when they let you set the
question yourself so you can put something like "Why would a secure financial
institution allow such a horrible security hole in it's system?" To which the
answer is Tyrolese4Tokyo_Beulah!Papuan.

~~~
zifnab06
I fill them with nonsense words unrelated to the question. Mother's maiden
name? Fire truck. First car? Air conditioner.

If I have to call a company they always ask me why. The explanation is anyone
who has me as a Facebook friend can figure out who my first girlfriend was, my
maternal grandmother's first name, my mother's maiden name, where I was born,
my first car, etc. And if every company has the same data, a data breach at
one makes the entire system fall apart.

~~~
beagle3
Same here. But recently, United airlines changed their system to only allow
selecting from a list (your favorite dog breed ? Choose 1 of 8. Your favorite
movie genre? Choose one of 12). I picked a random set and wrote it in my
password stash.

Seriously bad security practices.

------
pkamb
Sounds like a lot of work! Paypal will just turn off two-factor themselves if
you ask nicely via an unverified twitter DM.

[http://imgur.com/a/Tu1AN](http://imgur.com/a/Tu1AN)

[https://www.reddit.com/r/SocialEngineering/comments/3kgw3s/p...](https://www.reddit.com/r/SocialEngineering/comments/3kgw3s/paypal_will_disable_an_accounts_2factor_auth_if/)

~~~
TazeTSchnitzel
PayPal's 2FA broke on me when it started locking my account every time I
attempted to use it, because I'd previously made it send too many SMSes (poor
signal).

I was thankful that support let me disable it, but it was worrying they didn't
try to verify that I actually controlled my device first.

~~~
giancarlostoro
It's weird, don't all services that enable 2FA give you reset codes? Shouldn't
they ask you to use those, or at least give them one if anything so they can
help you disable your account? Kind of odd.

------
the7nd
The simplicity of this exploit demonstrates something profound. The most
dangerous things in life are not hidden deep in the weeds. Rather, they stare
us in the face in the most obvious spots. It isn't the unknown that presents
the biggest threat. It is the known that we never gave a second look.

~~~
bostik
The cardinal rule of security is: _you never, ever, trust anything the client
sends_.

This bypass is a perfect example. Although author doesn't mention which
interception proxy he used, I'm 99% sure it was Burp. Replaying modified
content is trivial.

~~~
gant
Even with a free software tool like mitmproxy modifying requests is trivial.
You don't even need Burp.

~~~
Vendan
the free version of burp is completely capable of doing this, and so much more

------
agildehaus
One of my PayPal 2FA phone numbers is listed twice and both cannot be removed
(errors when I try). Their support can't help with the situation because their
side wasn't able to see the duplicate.

This is not surprising to me.

~~~
zifnab06
I've been unable to remove a credit card from my account for almost 5 years.
It's since expired, and is somehow stuck as the default payment method.

------
ryanfreeborn
Is 17 days an acceptable TAT here? I know investigation and fixes can be a
challenge, but with the severity of this exploit+PayPal being a serious
financial service, I kind of would hope for a faster fix. Maybe I'm off
base...I really don't know; curious what others think.

How much time would've had to pass (without PayPal doing anything) before the
author is ethically obligated to post to HN/media/etc about the hack? I
believe publicizing an (unpatched) exploit like this crosses into criminality,
but it would be essential to demonstrate some kind of proof, for credence and
gravity. I'm guessing the community has some standardized guidelines for this
sort of thing, but I'm not aware of them.

~~~
blazespin
17 days is fast, relatively speaking.

Security questions are hardly really that great of 2FA protection anyways.

~~~
ryanfreeborn
Good to know.

And ya, a security question to bypass a phone 2SV is a joke. Almost entirely
defeats the purpose.

~~~
vinay427
Just to be clear, it bypasses any of their 2FA codes, not just SMS-based
codes. The security questions bypass "feature" also appears on my account for
which I use a VeriSign 2FA dongle.

------
xorgar831
I've seen equally as ridiculous web bugs, computing prices browser side in
javascript, credit card numbers encoded in REST API endpoints, financial
websites not supporting 2FA at all or mixing http requests into the sites.
We're solidly in the dark ages of web security still.

~~~
Itsdijital
When I went to setup my online account for my old bank, I entered a randomly
generated 16 digit key and got an error; "Maximum password length limited to 6
characters...only alpha-numeric"

I called to inform them that their account creation was broken, because
obviously that was a bug. They told me that sometimes people have a hard time
remembering their password, so they "need to balance between ease of use and
security". My jaw dropped and my head rolled off my shoulders.

I didn't setup an online account.

~~~
xioxox
It seems standard practice for German banks to limit online passwords to five
alpha-numeric characters. Fortunately, you need a TAN number (generated by a
device or from an SMS message) to actually make a transaction. I have no idea
why they limit the password length like this.

~~~
pluma
I'm guessing it's five characters so people don't just use their four digit
PIN. I don't have any explanation for why they would limit it to five
characters though, or why it has to be alphanumeric.

That said, Comdirect seems to offer regular passwords or six digit PINs and
Bank of Scotland (in Germany) seems to also offer regular passwords.

But there are plenty of other offenders. For example my energy provider E-wie-
einfach requires a mix of alphanumeric characters but forbids pasting and
autofill (the latter of which luckily Chrome simply ignores).

I don't know what idiot ever came up with the idea that disabling paste makes
logins _more_ secure (only justification I've ever heard was about preventing
brute force attacks, proving an utter lack of understanding of the technology
involved) but sadly it's still a thing and it still leads to people using
trivial and easy to type passwords.

~~~
tttttttttttt
The justification is a rootkit which intercepts copy-paste but not the
password field

~~~
pluma
Sure, except then it would intercept the copy, not the paste. And it basically
trades clipboard vulnerabilities for keylogging vulnerabilities.

A more realistic exploit is a Flash banner on another tab intercepting the
password in the clipboard. This is why offline password managers automatically
expire the clipboard though.

The danger of discouraging complex or long passwords is far greater than
either of these two attacks, both of which rely on the user's system already
being compromised.

------
discordance
Ouch!

Also, PayPal really needs to stop using SMS for 2fa.

I expect more from a payment processor that is linked to my bank account.

~~~
microcolonel
What exactly is wrong with offering SMS 2FA? I don't have a smartphone, but I
have a great little prepaid phone. Why should I get _no features_ just because
they are not necessarily _as good as it gets_ ? Also, as far as I'm aware, all
of the major "attacks" on SMS 2FA are just the fact that a smartphone can be
compromised in many ways. I have much less attack surface: an attacker would
need to reprogram my undocumented exotic architecture phone with a bug in a
parser which is probably too small to contain bugs of that nature. The other
way is SMS MITM, which on some networks is demonstrated feasible, but requires
basically setting up an SDR near the victim, a lot more complicated.

With my prepaid provider, customer service is shoddy but would need
considerably more to do a number port than just the number.

By removing SMS 2FA you gain nothing, and I lose my only viable second factor.

~~~
ksec
From my limited reading on the issue. SMS in US is unsafe. Not sure if the
same can be said in other places like EU or Japan.

~~~
whyagaindavid
They should be fixing service providers and not blaming google as in couple of
days ago. (of course, if a nation state is trying to hack you good-luck!)

------
TorKlingberg
This seems like a good time to rant about PayPal 2FA and its poor usability.

Every time I open the PayPal app I have to wait for a text message and type a
code across. That should not be necessary! PayPal should count the app as the
second factor and only ask for the password. I am happy to us 2FA with Google
because I only have to use it when on a new device, or once a month or so in
the browser.

Second, support 2FA apps like Authy already. SMS based 2FA is both insecure
and unreliable.

------
chirau
Out of curiosity, how much was the bounty? 3, 4 or 5 digits?

------
algesten
I'm using Verisign's VIP Access app (silly name) to generate PayPal's 2FA
tokens.

Good thing is it works without access to my phone.

Bad thing, the app has a unique ID that PayPal only allows me to use for one
of my three accounts.

Wish they implement TOTP.

------
bad_user
Does anybody know how to activate 2FA for PayPal?

In the security section I don't even have that option.

~~~
nobodyshere
Might be unavailable for your country.

~~~
gaza3g
Yup, I'm in Singapore and they told me that they don't have that feature yet.

I find that really ridiculous.

------
phreack
This is scarily simple. Profit indeed for a black hat. Coupled with a recent
post about Gmail on how phone carriers are the weakest link, I just don't feel
safe with anything but a dongle based 2fa these days.

~~~
tmzt
Unless the master key is compromised allowing anyone to generate authenticator
codes, as I seem to recall happened a few years ago with a major provider.

~~~
jlgaddis
I think you're referring to RSA's SecurID? That was roughly five years or so
ago.

------
DavidWanjiru
Am I the only one who found it odd that the author had internet access, but
there was no phone signal? Maybe it's because I'm Kenyan, where phone
penetration is much higher than internet penetration, and where internet
access over GSM has the biggest share of the internet access pie chart.

~~~
dkopi
This often happens when I'm travelling internationally. If I plan on buying a
local sim card instead of purchasing a roaming plan - I might not have access
to my SMS until I get back home.

~~~
45h34jh53k4j
Get a next gen phone; They should all do Wifi Calling now. This causes your
phone to tunnel the cellular via internet link, and you get full call and sms
coverage.

Of course, 2FA via SMS is a bad and deprecated pattern and needs to die! But!
you can get your phone overseas without roaming which is pretty neat.

------
0xmohit
If I were to guess this flaw was a result of monkey-patching to support 2FA
that didn't quite consider different scenarios.

I've come across a few authentication bypass vulns that seem similar.

------
nabla9
The lesson from this:

Just looping trough input arguments from the client, validating them and then
acting on them gives the client control of the code execution.

It's not enough to validate each input argument. You musth also verify that
all parameters are really there and no extra parameters can slip into the
system. The whole combination must make sense. Enumerating all used parameter
combinations in a record that can be changed easily is one way to solve this.

------
ryanlm
I'm assuming that the relevant code, is simply an if statement checking for
the existence of the url parameters, not even checking if the security
questions are correct.

    
    
        if(isset($_GET['securityQuesiton0')) {
            // success, 
        }
    

This is negligence on the developers part and I think they should be
disciplined.

~~~
kelnage
Or they designed it to show a variable number of security questions (so
management could come along and say "we need 4 questions now" without causing
havoc). Then they'd iterate through the responses, verifying them against the
appropriate question. Simply forgetting to enforce that the number of
questions asked has to equal the number of responses sent would cause the
described vulnerability.

------
danielsamuels
I imagine you could have got the same results with inspect element and
deleting the form fields, rather than using a proxy.

------
yashafromrussia
What kind of API design is this? Post data should be sent within the request's
body over HTTPS. Not as a url query.

~~~
mrcarrot
Nowhere in the article does it say that the POST data was in the URL. As I
understood it, he was editing the request body before the request was sent to
PayPal's server.

------
andrewvijay
Short and sweet. Never seen a bug explained so succinctly.

------
TekMol
What is the additional phone verification good for if you can bypass it
anyhow?

I mean - if you can chose between pw+phone and pw+pw2 ... why bring the phone
into play at all?

------
greyskull
What could the backend logic possibly be this worked?

~~~
Dinius
Something like this: (PHP felt like the right approach here :p)

    
    
            if ($selectedOption == SECURITY_QUESTION)
      	{
      		if (isset($_POST["SecurityQuestion0"]) && isset(["SecurityQuestion1"]))
      		{
        			if ($_POST["SecurityQuestion0"] != $answer0 || $_POST["SecurityQuestion1"] != $answer1)
      			{
      				// invalid answers
      				return;
      			}
      		}
    
      		authenticateUser();
      	}

~~~
dkopi
More likely along the lines of

    
    
      if ((isset($_POST["SecurityQuestion0"]) && $_POST["SecurityQuestion0"] != $answer0) || 
      (isset($_POST["SecurityQuestion1"]) && $_POST["SecurityQuestion1"] != $answer1)

------
dczmer
reminds me of this paypal 2fa exploit from a couple years ago:

[https://duo.com/blog/duo-security-researchers-uncover-
bypass...](https://duo.com/blog/duo-security-researchers-uncover-bypass-of-
paypal-s-two-factor-authentication)

because it was the same simple exploit on a different field.

------
Propen
It's 2016. They are a financial company. Why aren't they implementing TOTP
codes? NIST officially deprecated SMS.

------
nobodyshere
Bypass? Haha, it has been quite a while and they still haven't even enabled it
for my country. Same goes for Apple.

------
foota
Oh my god.

------
benevol
This is surreal.

Does PayPal outsource their web development to an anonymous script kiddie on
4chan?

~~~
kimshibal
no, they outsource to cheap dev in india

------
rvolkan
I'm happy to see that the article doesn't have any BS that I have to ignore.
It's a simple page that only tells the 'required' story. As a reader, I want
more people to cut the crap about 'blah blah blah' and get to the subject.

~~~
blazespin
That only works if you can assume your audience has the necessary context.

That being said, I've often thought Hacker News should have a nice crowd
sourced tldr summary at the top of all the comments.

------
jknoepfler
Thank you to the author for reporting this big in a responsible way. They are
a credit to our profession.

