1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PayPal 2FA bypass – how did *that* get past testing?

Discussion in 'BlackHat Lounge' started by The Scarlet Pimp, Oct 31, 2016.

  1. The Scarlet Pimp

    The Scarlet Pimp Senior Member

    Joined:
    Apr 2, 2008
    Messages:
    877
    Likes Received:
    3,313
    Occupation:
    Chair moistener.
    Location:
    Cyberspace
    In a delightfully short and sweet technical article, UK security researcher Henry Hoggard recently reported on a PayPal authentication bug he found.

    He was paid a bounty by PayPal, and the hole is now closed, so revealing it doesn’t give away any security secrets that might still be abused...

    Here's what happened.

    Hoggard was trying to login to PayPal using its two-factor authentication (2FA) system.

    He couldn't receive his 2FA token via mobile phone, so he decided to use PayPal's "try another way" option to identify himself to the service.

    By using a proxy to monitor his own network traffic, Hoggard noticed that both the questions and the submitted answers were embedded into the URL used for logging in.

    Could a crook figure out how to submit correct answers?

    Hoggard quickly discovered that a crook could do just that, by simply removing the questions and the answers from the URL altogether.

    Lo and behold! Zero questions wrong out of zero questions asked, total errors zero, authentication approved.

    It's hard to believe that sort of attack got past testing, but apparently it did.

    In other words, the client decides which questions to ask, and a test with zero questions is treated as valid.

    Obviously, that's not right: the server asked the questions in the first place, so it doesn’t need to rely on the client to repeat the questions when it replies.

    One more thing is PayPal's awful choice of "security" questions.

    Pet's names are truly terrible choices for any sort of password, because the answers are usually easy to guess, or can be looked up on Facebook.

    And your birth hospital is an equally dreadful question, because you may not have one (if, like many people, you were born at home), you can never change it, and it's no one else's business, anyway.

    So, we strongly recommend that you treat these so-called "security" questions like any password, and invent an answer that is unique and complex.

    In fact, if you use a password manager, let it choose an answer for you.

    PayPal won't know that you never actually had a rabbit called DDOAIXSWIWHLYFTRFQRPRTQORPABGVHC or a cat that answered to xEc1lnlanrpgLBdDUX3fIj7kX2rC.

    https://nakedsecurity.sophos.com/2016/10/28/paypal-2fa-bypass-how-did-that-get-past-testing/
     
    • Thanks Thanks x 2
  2. Setox

    Setox Power Member

    Joined:
    Apr 30, 2015
    Messages:
    500
    Likes Received:
    205
    Occupation:
    CPA Hunter - Web Dev - Design
    Location:
    MA
    Home Page:
    I have Nightmares . 99% are about paypal . That's why i always withdraw my Shit to my CC's .
     
  3. redarrow

    redarrow Elite Member

    Joined:
    Apr 1, 2013
    Messages:
    5,207
    Likes Received:
    1,190
    What cc you using pioneer not allowed no more any advive.

    The problam with huge system programming is it group all together with loads iof programmers so glitches are easy to forget.

    It a glitch someone forgot to fix a url secuity...
     
  4. Setox

    Setox Power Member

    Joined:
    Apr 30, 2015
    Messages:
    500
    Likes Received:
    205
    Occupation:
    CPA Hunter - Web Dev - Design
    Location:
    MA
    Home Page:
    1 - Who said i'm using Payoneer .
    2- i don't understand .
    3- i didn't understand .
     
  5. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    2,612
    Likes Received:
    11,243
    Occupation:
    Pusillanimous Knitter
    Location:
    Buenos Aires
    That's why we have a metric shit ton of "processes" for teams :) The error in this case was sheer stupidity, both from the team leader and the programmer who wrote that piece of code. The programmer because he had no real security understanding and the team leader for not figuring that out. And if we go further, clearly the QA team failed (but that's expected because who has security minded QA testers?) and I would venture to guess that they did not had an external security audit on that part. Security is a bitch.