A new security vulnerability in PayPal lets hackers bypass the site’s two-factor authentication, according to a security researcher who says he’s reported the flaw to PayPal – but it remains unfixed.
Joshua Rogers, writing on his Just Another Security Blog site, says that on 5 June 2014, he found a complete bypass for PayPal’s 2FA service, in which anybody would be able to access a PayPal account that has 2FA setup, by only logging in through a “special” PayPal page.
He claims to have alerted PayPal on the same day, but decided to go public with details of the vulnerability after two months passed without it being fixed.
PayPal uses two-factor authentication to protect uses’ accounts, but the flaw discovered by Rogers allows this to be bypassed.
