BBC News

Paypal fixes 'worrying' security bug

image copyrightPA
image captionMany two-factor authentication systems send codes via text messages to phones

A security researcher has found a simple way round one of the systems Paypal uses to protect users' accounts.

Deleting a few characters in the data which web browsers send to Paypal let Henry Hoggard bypass Paypal's two-factor authentication scheme.

This system is supposed to make accounts more secure by using extra methods to confirm someone's identity.

Paypal said it patched the bug days after it was reported.

'Screwed up'

In a blogpost, Mr Hoggard said he discovered the flaw during a recent trip when he needed to use Paypal but was in a cell phone dead spot.

This meant that Paypal would not be able to send an access code via text message to his phone to make the two-factor authentication (2FA) system work.

In such situations, Paypal asks users to verify their identity by providing correct answers to secret questions they chose when they first set up an account.

Mr Hoggard could not remember which answers he gave so got round this requirement using a software program called a proxy through which he funnelled data passing from his laptop to Paypal's website.

Using the proxy, he altered the stream of data to make it look like he had answered the questions correctly.

In all, he said, the bypass took less than five minutes to carry out.

The bug was reported to Paypal on 3 October and was fixed by the payments firm three days later. Mr Hoggard was paid a bounty by Paypal for finding the bug.

In a statement, Paypal said: "We worked quickly to resolve the reported issue. We do not have evidence to suggest that PayPal accounts were impacted in any way."

It added; "PayPal takes the security of our customers' data, money and account information extremely seriously."

Independent security expert Graham Cluley said the bug was a "worrying failure" by Paypal.

Security researcher Troy Hunt said the incident was a "reminder that even the big guys can fundamentally screw this stuff up".

Related Topics

  • Cyber-crime
  • Cyber-security
  • PayPal

More on this story

  • Webcams used to attack Reddit and Twitter recalled