Skip navigation

The PayPal 2FA Bypass: How Legacy Infrastructure Impacts Modern Security

[See Part 1 for our technical write up and demonstration video.]

Once upon a time, our buddy Dan reached out to us to inquire about a surprising issue he observed in the PayPal iOS mobile app.

Dan is a tech-savvy guy (founder of EverydayCarry.com and a bunch of other interesting sites), but isn’t a self-proclaimed security researcher. However, he had stumbled upon a pretty serious vulnerability in PayPal’s authentication process using very low-tech methods.

Dan observed that after he logged in to his 2FA-protected PayPal account using the iOS mobile app, he would be automatically logged out since the mobile app does not yet support 2FA login. However, Dan noticed that if he enabled his iPhone’s “Airplane mode” at the right moment, the app would fail to log him out and he would have normal, full access to his PayPal account without ever completing two-factor authentication.

If you’re a security d00d, that should pop red flags, ring alarm bells, and raise your mental DHS hacker advisory level from ELEVATED to HIGH.

Long story short, the bad juju you’re imagining is true-true and PayPal’s server-side is handing out authenticated session tokens when only a username and password is provided, allowing an attacker to effectively bypass PayPal’s 2FA. But if you’re interested that long story, check out our post on the [awesome technical details of the vulnerability] by Zach Lanier, our senior security researcher at Duo Labs.

The rest of this post is structured as a FAQ. And by FAQ I mean questions that nobody has asked (but I’m pretty sure my cat is curious about), and putting them in italics lets me get to the various points I want to touch on in this post.

So, what does this mean for the everyday average PayPal user?

If you haven’t enabled two-factor on your PayPal account, you must like living dangerously. With the prevalence of phishing and other credential stealing techniques, relying solely on a password to protect your financially-lucrative accounts is a bad idea.

Phishing attacks against PayPal users have seen a 73% increase in 2014 compared to the previous year. Over 18,600 PayPal phishing sites were identified in a two-week span. Yikes.

If you have enabled two-factor on your PayPal account, congratulations on navigating the myriad of menus required to find the Security Key options in the PayPal interface and adequately protecting your account!

The bad news: you’ve unknowingly been living dangerously, since the weakness we identified in PayPal’s authentication process allows a complete bypass of the two-factor mechanism. In addition, many users of two-factor may feel more confident about their account security and thereby lower their guard when it comes to selecting or protecting their password, putting them at greater risk.

Does that mean you should avoid enabling two-factor across the web? No way! While implementation flaws may limit the efficacy in some specific cases like this one, properly implemented 2FA is one of the most effective technologies to secure your accounts, so apply liberally!

What are the broader implications for the security industry?

When dissecting the PayPal vulnerability, it quickly becomes clear that the root cause is an issue of legacy compatibility. That is, PayPal wanted to improve their login security with two-factor authentication, but needed to do so in a way that didn’t break their existing interfaces.

This is particularly challenging for a company at the scale of PayPal that has an extensive ecosystem of merchant partners, payment APIs, and checkout SDKs to integrate into thousands of third-party applications and services. Making significant changes in authentication flow, the one security control that gates all vital access and privilege, is an enormously arduous and fragile task.

Unsurprisingly, this is not the first time we’ve observed legacy infrastructure have a major impact on the security of two-factor authentication. In fact, about a year ago, we published a similar break in Google’s two-factor authentication service, that resulted from a mechanism called “Application Specific Passwords” that was designed to maintain compatibility with legacy authentication interfaces: Bypassing Google's Two-Factor Authentication.

In this particular case, PayPal rolled out two-factor in a web-first manner, without keeping mobile in mind as a first-class citizen. It’s not entirely surprising though if you consider the constraints - if you want to make changes to your authentication flow, but your mobile SDK is baked into thousands upon thousands of third-party mobile apps which all leverage that authentication flow, how do you make any reasonable progress? Again, a modern mobile-first access pattern has thrown a wrench into an otherwise slam-dunk upgrade to account security.

If top-notch organizations with sophisticated security engineering groups like PayPal and Google are facing such challenges, how will others fare? We’re confident that the PayPal and Google incidents are just the tip of the iceberg.

More broadly, these vulnerabilities are a good example of how the move to cloud and mobile has not always been graceful for organizations and has been disruptive to the way we deploy security controls.

Not only are modern security controls challenging to adapt and apply to legacy infrastructure and interfaces, but legacy security controls fall flat when it comes to modern infrastructure. How do you deploy your legacy security controls (FW, NIDS, DLP, AV, VA, WAF, etc) in the world of cloud and mobile when you don’t control the endpoint, network, application or infrastructure?

Authentication is often the only effective security control you have left in a modern, cloud and mobile-enabled IT environment. So you better be damn sure that authentication control is more than a simple password. If this is something that keeps you up at night, we should talk.

What is Duo’s interest in these 2FA breaks like PayPal and Google?

Well, one of Duo’s missions as a company is to democratize the use and deployment of strong authentication so that all users can benefit from them, not just the Fortune 500. While our product is aimed squarely at fulfilling that mission, it's not the start and the end.

We've got a boatload of experience building 2FA systems, so we also know all the challenges, design decisions, and potential missteps that people make when building them and the vulnerabilities that can result.

The previous Google issue and this PayPal issue are just two examples of our efforts to assess and audit popular two-factor implementations of all shapes and sizes. By sharing our experience and security expertise with the Internet as a whole, we can further fulfill our mission and help make the Internet a safer place.

In other words, we have a lot more great research going on at Duo Labs, so keep an eye out for what’s next!

Jon Oberheide

Co-Founder and CTO

@jonoberheide

Jon is the co-founder and CTO of Duo Security, responsible for leading product vision and the Duo Labs advanced research team. Before starting Duo, Jon was a self-loathing academic, completing his PhD at the University of Michigan in the realm of cloud security. In a prior life, Jon enjoyed offensive security research and generally hacking the planet. Jon was recently named to Forbes "30 under 30" list for his mobile security hijinks.