A security researcher successfully bypassed Paypal 2-Factor Authentication in less than five minutes.
Henry Hoggard, a bug bounty hunter who have reported the recent flaw in popular online payment system. According to Hoggard — “Paypal’s 2FA took less than five minutes to bypass“.
How he bypassed Paypal 2FA ?
Usually Paypal will send a SMS when we try to access our account with new network. Since Hoggard’s phone has no signal to receive his Two Factor Auth token, he just click on the “Try another way” link to authenticate account by answering the security question and found out the major flaw in Paypal system.
When Paypal asked the security question Hoggard simply enter a random answer and then he used a proxy and remove “securityQuestion0” and “securityQuestion1” from the post data. Boom! he bypassed the 2-FA Verification and logged into his locked account.
He reported the issue to Paypal on October 3,2016 and Paypal fixed the security flaw on October 21 and awarded a huge bounty.
This is not the first time Hoggard finding a security hole, earlier he have reported vulnerabilities in Android, Twitter, Facebook, Paypal, Blackberry and many more.