Recently I was in a hotel needing to make a payment, there was no phone signal so I could not receive my Two Factor Auth token. Luckily for me Paypal’s 2FA took less than five minutes to bypass.

Proof of Concept

Step 1: Login with a valid username and password, click on the “Try another way” link.

Step 2: Enter any answer for security questions.

Step 3: Using a proxy, remove “securityQuestion0” and “securityQuestion1” from the post data.

Step 4: Profit

Advisory Timeline

• 03/10/16 - Reported issue to Paypal
• 04/10/16 - Paypal begin investigation of issue
• 21/10/16 - Paypal report issue as fixed
• 21/10/16 - Paypal award bounty