Security researcher bypassed Paypal 2-Factor Authentication in less than five minutes

A security researcher successfully bypassed Paypal 2-Factor Authentication in less than five minutes.

Henry Hoggard, a bug bounty hunter who have reported the recent flaw in popular online payment system. According to Hoggard — “Paypal’s 2FA took less than five minutes to bypass“.

How he bypassed Paypal 2FA ?

Usually Paypal will send a SMS when we try to access our account with new network. Since Hoggard’s phone has no signal to receive his Two Factor Auth token, he just click on the “Try another way” link to authenticate account by answering the security question and found out the major flaw in Paypal system.

When Paypal asked the security question Hoggard simply enter a random answer and then he used a proxy and remove “securityQuestion0” and “securityQuestion1” from the post data. Boom! he bypassed the 2-FA Verification and logged into his locked account.



He reported the issue to Paypal on October 3,2016 and Paypal fixed the security flaw on October 21 and awarded a huge bounty.

This is not the first time Hoggard finding a security hole, earlier he have reported vulnerabilities in Android, Twitter, Facebook, Paypal, Blackberry and many more.

Also Read : What is a Zero-Day ? How Zero-Day Vulnerability differ from Zero-Day Exploit ?

Nethra Gupta
Nethra Gupta
A python programmer and Android developer keep tabs on latest changes in the programming world.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.

More from this stream