The problem lies specifically in the “=_integrated-registration” function, Rogers wrote, which does not check to see if the victim has two-factor authentication enabled. An attacker could repeatedly gets access to the PayPal account by linking and de-linking the eBay and PayPal accounts of a person, he wrote. He posted a video of the attack on YouTube.
PayPal officials could not be immediately reached for comment.
The payment processor’s two-factor authentication could potentially be defeated in other ways. For example, if a user doesn’t have a way to receive the six-digit code, PayPal allows them to skip it and instead answer two security questions.
Those questions, which include “What’s the name of your first school?” and “What’s the name of the hospital in which you were born?” arguably aren’t difficult for a hacker who has been profiling a victim to answer.
But as with many online defenses, companies are often forced to make trade-offs between convenience and security, attempting to strike the right balance between safety and not alienating users locked out of their accounts.
Rogers has a record of finding problems in online services. Last month, he accepted a caution from police rather than face charges for discovering a vulnerability in the website of one of the country’s public transport authorities late last year.
A database flaw within the website of Public Transport Victoria (PTV), which runs the state’s transport system, allowed Rogers to gain access to some 600,000 records, including partial credit card numbers, addresses, e-mails, passwords, birth dates, phone numbers and senior citizen card numbers. Rogers notified the agency of the problem and did not try to profit from the information, but the incident was still referred to police.
Jeremy Kirk, IDG News Service
Subscribers 0
Fans 0
Followers 0
Followers