I'm glad this was found independently and reported. While I was at PayPal I had started email threads about it but nothing was done. I am sure I was not the only one there who "discovered" this. For instance, even if you have 2FA you can add PayPal to Uber as if you never had 2FA.<p>The other big issue with their 2FA authentication is that it really isn't two factor. You can say you don't have the token and instead can answer security questions. Two factor is supposed to be something you know plus something you have. "Falling back" to security questions is basically just relying on things you know.
Based on this timeline, I don't understand why Duo didn't go public on 2014-04-28 when PayPal began being weasely about their bug bounty program. This probably would be better for users for two reasons: one, in the past 2 months, this bug may have been exploited in the wild, and two, it would make it easier for users to make informed decisions about which payments providers to use in the future (as well as which 2fa providers are technically competent).
Hey guys - its Anuj from PayPal. I just published a blog post that explains what we are doing to address this. <a href="https://www.paypal-community.com/t5/PayPal-Forward/Working-with-the-Security-Community/ba-p/828224" rel="nofollow">https://www.paypal-community.com/t5/PayPal-Forward/Working-w...</a>
A bigger problem for me is that two-factor authentication for PayPal is available only in few countries (US, UK and Germany I think). I tried to get a token but no chance; not even software with mobile app. When contacting support I was considered as a freak probably - they completely didn't what is the problem without 2FA. I really don't get it, why being global they limit 2FA to a few countries.
You never trust the client; this is amateur hour shit TBH. How could a company like PayPal let something like this through? SURELY there were employees raising hell before it ever hit the app stores?
It's interesting to watch corporations expose one another's vulnerabilities in a public way. It seems like this was done pretty fairly, giving PayPal ample time to address the bug-- so I guess that's neat.
I also do not like the two factor authentification from PayPal. Sometimes the SMS takes ages before it arrives (I waited more than 10 minutes here in Germany). And it is absolutely not possible to pay in eBay with Paypal and 2FA when using mobile browser or eBay Android app. I wished they use solutions like Google Authenticator for their 2FA.
I don't know if this is common knowledge but PayPal lets you log in with your CC number instead of the auth token sent via text message. I know because the text messages often do not arrive at all for me, even after repeated requests.<p>It "only" works one time though, the second time you're asked the dreaded "security question"
Three months??? It took a major global payment processor three months to fix an issue as big as this?<p>And people wonder why I'm constantly telling them to stop using PayPal.
It's not suprising that Duo Security is interested in exposing this flaw in their 2FA flow, since their product is a somewhat better 2FA solution. I've evaluated their solution for my project, but ultimately settled with MePIN which offered similar security at lower price.