Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

PayPal's Two-Factor Authentication Can Be Bypassed Using eBay Bug

Unknown Lamer posted about 3 months ago | from the get-your-60day-exploits dept.

Bug 33

About six weeks ago, a hole in Paypal's two factor authentication and their mobile client was discovered. hypnosec (2231454) wrote in with news of another trivial way to bypass Paypal's two-factor authentication. A bug in a feature for eBay integration allows passing a GET parameter to completely bypass two-factor authentication, and you don't even need to be coming from eBay to use it. You still need the password, but additional protection is lost. From the article: eBay, in conjunction with Paypal, provide a service as to where you can link your eBay account to your Paypal account, and when you sell something on eBay, the fees automatically come out of your Paypal account. ... When you are redirected to the login page, the URL contains "=_integrated-registration." ... Once you're actually logged in, a cookie is set with your details, and you're redirected to a page to confirm the details of the process. And this is where the exploit lays. Now just load http://www.paypal.com/ , and you are logged in, and don't need to re-enter your login. So, the actual bug itself is that the "=_integrated-registration" function does not check for a 2FA code, despite logging you into Paypal. You could repeat the process using the same "=_integrated-registration" page unlimited times.

cancel ×

33 comments

Sorry! There are no comments related to the filter you selected.

No worries (0)

Anonymous Coward | about 3 months ago | (#47606947)

No worries, its not like PayPal is a bank or had access to your bank or anything.

Re:No worries (0)

Anonymous Coward | about 3 months ago | (#47607035)

Yeah, and that their TOS demands that you arbitrate in California and nowhere else.

Read the TOS and all the links to the other documents that PayPal and eBay require that you agree to use their services.

Go ahead read it.

tl;dr: to quote from GoodFellas - "Fuck you! Pay me!"

And Elon Musk (snake musk?) put that in place.

Re: No worries (0)

Anonymous Coward | about 2 months ago | (#47621255)

Terms of service do not overall statutory rights in Europe, or at least the UK

Re:No worries (0)

fuzzyfuzzyfungus (1223518) | about 3 months ago | (#47607051)

No worries, its not like PayPal is a bank or had access to your bank or anything.

Paypal is the company so evil that I think of my bank as a trusted friend and protector who stands between me and them. And I usually loath my bank.

Re:No worries (2)

Kenja (541830) | about 3 months ago | (#47607057)

Hey now, without PayPal there would be no Tesla or Space X.

Re:No worries (0)

Anonymous Coward | about 3 months ago | (#47607113)

Hey now, without PayPal there would be no Tesla or Space X.

That's a bad thing?

Re:No worries (1)

rayray14 (591465) | about 3 months ago | (#47607205)

Out of curiosity, why would you insist it's a good thing?

Re:No worries (0)

Anonymous Coward | about 3 months ago | (#47608071)

Tesla is trying to put dealerships out of buisness! They're removing a.. Uhm.. valuable ( to the dealership) .. relationship between dealer and customer, that's an american tradition. Its a.. freedom. Yea, Tesla is taking our freedoms! And the Jobs at the dealerships. They take our jobs! Dey took ur jerbs!

Re:No worries (5, Informative)

jcgam69 (994690) | about 3 months ago | (#47607127)

I see comments like this all the time, but in my own personal experience paypal protected me as a seller from a fraudulent buyer who tried to steal several hundred dollars. Although the process was not quick, in the end Paypal discovered the truth, and I'll continue to use and recommend the service.

Re:No worries (3, Interesting)

Wycliffe (116160) | about 3 months ago | (#47607169)

Same here. I've had multiple disputes on paypal and they all were decided in my favor.
My dad had several thousand dollars stolen from his account and paypal gave him all his money back.
I never leave money in my account so there is really nothing they can seize from me and their
arbitration leaves an extra layer of protection against fraud.

Re:No worries (2)

naughtynaughty (1154069) | about 3 months ago | (#47607557)

PayPal is great until it isn't. I paid an eBay seller from my checking account, an e-Check. A few days later eBay cancelled the sale and PayPal credited the amount withdrawn from my checking account to my PayPal account and then "permanently restricted" the account. No explanation why. Anything I can do? No. Can I have the money put back in my checking account? Nope, we are freezing it for 180 days. 180 days they redeposit the funds to the checking account. So much for eBay and PayPal, 10 year history with both with zero issues. No communication, no explanation, no appeal, no nothing.

Re:No worries (4, Interesting)

roman_mir (125474) | about 3 months ago | (#47607981)

I'll see your story and raise you mine. I bought a video card on eBay back in December, paid 1200 for it and waited for it to arrive to a pick up centre, but the seller used a wrong name on the package and so the package was returned. From POV of eBay the shipping was 'completed' because the tracking number was there, showing 'delivered', but the address of the delivery was back in New York, not my destination address. Then the 'seller' supposedly sent the package to me the second time, but this time wouldn't provide the tracking number, and the package never arrived. Talking to eBay appeared to be fruitless (as a side note, the 'seller' put the same item back for sale, and since she doesn't normally sell computer parts, I assume it was the same video card that was put for sale once again). I contacted eBay and PayPal, nothing. Eventually I worked it out through my credit card, they pressed on PayPal I guess, I got the money back but not thanks to eBay or PayPal. AFAIC (and I told them that) they continued working with somebody selling stolen property, but it didn't matter to them.

Re:No worries (0)

Anonymous Coward | about 2 months ago | (#47608253)

Who are you and what did you do to the real roman_mir?

The real roman_mir would absolutely defend and worship the likes of eBay and PayPal, for they are the modern robber barons.

With the Internet being their railroad, these modern barons created products and services that people wanted, grew the economy, and created thousands of real productive jobs.

The real roman_mir would tell you that your own story is meaningless. The only thing that matters is that government is not involved here. The mighty free market has spoken and eBay and PayPal's level of service (or lack thereof) is good enough, the most efficient solution for now (if you think you can offer better, start your own business and compete with them). It's your own damn fault for not knowing what you're getting into when you signed up with eBay, with PayPal, or with the dude trying to sell you stuff. Caveat emptor. Give her a A minus minus review [xkcd.com] and let the free market sort itself out.

Re:No worries (1)

Anonymous Coward | about 2 months ago | (#47608357)

Sounds like an intentional scam. List expensive product, sell it, ship it to "wrong address" which is really a drop box, retrieve item, and sell again. When buyers protest, the seller can show it was "delivered". Seems to me like Ebay and PayPal would at least want to make sure the address matched your address.

Anyway, that's why the general advice is not to purchase from sellers who have a lot of points selling very low value merchandise and then are suddenly selling a high-dollar item. It's a common fraud.

Re:No worries (1)

mysidia (191772) | about 2 months ago | (#47610627)

I had one dispute on PayPal ever involving an eBay transaction with a PayPal verified user; piece of electronics the seller never shipped, paid using PayPal instant transfer which PayPal always touts as the best way to pay direct from bank account..... seller got a DHL tracking number, item never picked up, seller made various hoax claims about failed delivery, but shipper tracking always clear item never picked up from shipper..... PayPal ruled in my favor, but could recover less than $60 from the seller out of $120, seller "disappeared" and stopped responding, so I still lost a good bit of money.

Even when you "win" a PayPal or eBay dispute, you actually lose. Not happy with that at all...

Re:No worries (0)

Anonymous Coward | about 3 months ago | (#47607229)

I'm sure you have a good reason for calling them evil, but I've never observed them to be anything but professional. I have lost money where a company did not deliver the software but claimed they did via email. But that's for all practical purposes impossible for PP to know if it was delivered. I've been using them for several years and like how they do things. When people have tried to defraud me they have stepped in and using good judgment (and logic) saw the fraud attempt and went to bat for me with the other guys CC company.

Re:No worries (0)

Anonymous Coward | about 3 months ago | (#47607339)

As a buyer I've had the opposite experience. Bought and paid for a battery that said it would fit my laptop, but it didn't. To get a refund I had to post the item back to the buyer at my cost - $20 shipping for a $30 item supposedly... I told paypal and they sided with the seller --> i.e. if they ship you the WRONG thing, it's the buyers fault?!

unable to replicate findings. (4, Informative)

Kenja (541830) | about 3 months ago | (#47606965)

Perhaps I'm not understanding... but as my PayPal and eBay accounts have different passwords and i have two factor authentication setup using a DigiPass 5 rotating cypher key, I am unable to replicate what is being reported. No mater what, I am prompted for my DigiPass token key and password.

Re:unable to replicate findings. (1)

cciechad (602504) | about 3 months ago | (#47607027)

I saw this yesterday. It hasn't always been like this. It let me pay for an eBay transaction yesterday without asking for my OTP for Paypal.

Re:unable to replicate findings. (1, Interesting)

InfiniteBlaze (2564509) | about 3 months ago | (#47607073)

The hole was found six weeks ago. If they didn't fix it within that time frame, we'd have a serious problem on our hands. http://it.slashdot.org/story/1... [slashdot.org]

Re:unable to replicate findings. (1)

InfiniteBlaze (2564509) | about 3 months ago | (#47607083)

I misread. This is a new hole. My apologies.

Re:unable to replicate findings. (1)

MegaManSec (3494867) | about 3 months ago | (#47607133)

If you log in here: https://www.paypal.com/cgi-bin... [paypal.com] (Make sure you check it's https://www.paypal.com/ [paypal.com] !! ) Does it work? The eBay account that is used in the 'exploit' does NOT have to be associated with the Paypal account. Any eBay account can be used. You can even create a new one, with a completly random email.

Re:unable to replicate findings. (2)

Charliemopps (1157495) | about 3 months ago | (#47607155)

Perhaps I'm not understanding... but as my PayPal and eBay accounts have different passwords and i have two factor authentication setup using a DigiPass 5 rotating cypher key, I am unable to replicate what is being reported. No mater what, I am prompted for my DigiPass token key and password.

I'm not sure I understand the hole either... but it doesn't matter. I can't remember a time period when Paypals 2 factor authentication hasn't been broken. Authentication isn't that hard but paypal manages to have so many loopholes in their authentication process that we hear about a new one every few weeks. Given that, I just assume the service has quite a few, as of yet, undiscovered holes. I don't store money there, and I have it linked to its own special account in my bank so I know exactly whats coming in and out. Even if someone did hack it, there would be no funds for them to withdraw unless they just happened to catch me between moving the money in and making a purchase.

Re:unable to replicate findings. (1)

tepples (727027) | about 2 months ago | (#47608279)

Authentication isn't that hard

It is if you don't want to have to pay for dedicated second factor hardware or pay a cellular carrier for SMS or data service every time you authenticate.

Re:unable to replicate findings. (1)

Guppy06 (410832) | about 3 months ago | (#47607573)

Are the accounts "linked?"

Re:unable to replicate findings. (0)

Anonymous Coward | about 2 months ago | (#47608417)

What's your name and password? I'll try it on my computer and report back!

I give up (1)

nani popoki (594111) | about 3 months ago | (#47607079)

From now on, I'm paying for everything with doubloons.

Re:I give up (0)

Anonymous Coward | about 3 months ago | (#47607531)

Why not dogecoin?

Re:I give up (1)

Oceangnome (3696039) | about 3 months ago | (#47607717)

Me too.

Bug bounty isn't enough. (1)

Vellmont (569020) | about 3 months ago | (#47607137)

The article says he won' be eligible for $2500-$3000. It's hardly worth it. Getting worldwide attention, and a good reputation for finding a major security vulnerability in a major website is worth a LOT more than $3000, especially when you've waited 60 days after disclosing it.

I'd say the bounty should be about 10x for major problems like this that are easily reproducible, and have a high impact.

PayPal allows merchants to transfer any amount (1)

Anonymous Coward | about 3 months ago | (#47607415)

That's like allowing a gas station to change the amount to transfer after you entered your PIN or just like chaning the amount in a checke after you received it.

Anyway, PayPal thinks this is a feature: http://seclists.org/fulldisclosure/2014/Jul/86

PIN before pumping fuel (4, Informative)

tepples (727027) | about 2 months ago | (#47608311)

That's like allowing a gas station to change the amount to transfer after you entered your PIN

Except they already do that. The cardholder slides the card and puts in a PIN before pumping the fuel, at which time the pump doesn't know how much fuel the cardholder will pump. So the pump places an "authorization" for $100 or so, which lowers the cardholder's credit limit by $100 for the rest of the day, and turns on for up to $100 of fuel. Later, the pump performs a "capture" that releases the "authorization" and makes the payment final.

Evil Enemy (-1)

Anonymous Coward | about 2 months ago | (#47608653)

Paypal is an enemy of freedom. They tried to silence Wikileaks and many others by using financial controls.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?