Leave a comment

A 17-year-old discovered a serious flaw in PayPal security

A 17-year-old discovered a serious flaw in PayPal security
photo courtesy of SHUTTERSTOCK

Following in the footsteps of security researcher Stevie Graham (click here for his story), 17-year-old Australian Josh Rogers was upset when PayPal ignored the bug he found within its two-factor authentication security system.

He found a flaw that can let any hacker who knows your eBay or PayPal login can get into your account easily by simply bypassing two-factor authentication steps.

Here's how the hack works:

Once a hacker has both sets of login credentials, she can use a page where users link their eBay and PayPal accounts to create a cookie that tricks PayPal into thinking that the person being hacked is logged in. This keeps PayPal from initiating two-factor authentication.

Rogers found the flaw on June 5, but didn't receive a response from PayPal until June 27 and then again on July 4, but had done nothing to fix the vulnerability.

Too much time had passed for Rogers' liking, so what did he do? He published the hack to his blog and put it up on YouTube for anyone to see.

The good news is that Rogers isn't in it for the money, he is genuinely interested in the public's well-being. By posting the hack information online, he surrenders any earnings from the bug bounty program.

“I don’t care about the money, no ... Money isn’t everything in this world.”

A PayPal spokesperson has this to say in response:

"We are aware of a two-factor authentication (2FA) issue that is limited to a small amount of integrations with Adaptive Payments. ... We are working to get the issue addressed as quickly as possible.”

Next Story
Source: Slate
And the iPhone 6 release date is...
Previous Happening Now

And the iPhone 6 release date is...

40% of people on the terrorism watch list have ZERO terrorist ties
Next Happening Now

40% of people on the terrorism watch list have ZERO terrorist ties

View Comments ()