Paypal 2FA Bypass
October 22, 2016
Recently I was in a hotel needing to make a payment, there was no phone signal so I could not receive my Two Factor Auth token. Luckily for me Paypal’s 2FA took less than five minutes to bypass.
Proof of Concept
Step 1: Login with a valid username and password, click on the “Try another way” link.
Step 2: Enter any answer for security questions.
Step 3: Using a proxy, remove “securityQuestion0” and “securityQuestion1” from the post data.
Step 4: Profit
- 03/10/16 - Reported issue to Paypal
- 04/10/16 - Paypal begin investigation of issue
- 21/10/16 - Paypal report issue as fixed
- 21/10/16 - Paypal award bounty