Following in the footsteps of security researcher Stevie Graham (click here for his story), 17-year-old Australian Josh Rogers was upset when PayPal ignored the bug he found within its two-factor authentication security system.
He found a flaw that can let any hacker who knows your eBay or PayPal login can get into your account easily by simply bypassing two-factor authentication steps.
Here's how the hack works:
Once a hacker has both sets of login credentials, she can use a page where users link their eBay and PayPal accounts to create a cookie that tricks PayPal into thinking that the person being hacked is logged in. This keeps PayPal from initiating two-factor authentication.
Rogers found the flaw on June 5, but didn't receive a response from PayPal until June 27 and then again on July 4, but had done nothing to fix the vulnerability.
The good news is that Rogers isn't in it for the money, he is genuinely interested in the public's well-being. By posting the hack information online, he surrenders any earnings from the bug bounty program.
“I don’t care about the money, no ... Money isn’t everything in this world.”
A PayPal spokesperson has this to say in response:
"We are aware of a two-factor authentication (2FA) issue that is limited to a small amount of integrations with Adaptive Payments. ... We are working to get the issue addressed as quickly as possible.”