Joshua Rogers, 17, lives in Melbourne, Australia. On June 5, he found a flaw in PayPal’s two-factor authentication security system. He reported it to PayPal that day. He says PayPal responded to him on June 27 and July 4, but it never fixed the vulnerability, so he did what teenagers (and people generally) often do and posted it on his blog.
The attack works only if a hacker knows her target’s eBay and PayPal login, but as PCWorld points out, malware to ascertain this information has existed for a really long time. (Hence the creation of two-factor authentication.) Once a hacker has both sets of login credentials, she can use a page where users link their eBay and PayPal accounts to create a cookie that tricks PayPal into thinking that the person being hacked is logged in. This keeps PayPal from initiating two-factor authentication.
Rogers published the hack on YouTube on June 20, and then on his blog on June 26. Then he republished it on his blog on Monday in an attempt to get PayPal’s attention. PCWorld notes that by publicly disclosing the vulnerability, Rogers sacrificed his chance at a reward for finding the bug. But he responded, “I don’t care about the money, no … Money isn’t everything in this world.”
A PayPal spokesperson wrote in a statement, “We are aware of a two-factor authentication (2FA) issue that is limited to a small amount of integrations with Adaptive Payments. … We are working to get the issue addressed as quickly as possible.” The statement goes on to emphasize that two-factor authentication is an optional and additional security measure, and that usernames and passwords in general haven’t been compromised.
But if your account has been hacked this flaw in PayPal two-factor authentication could be a problem for you. So yeah, anytime you want to fix this, PayPal, that would be great.