2FA flaw in PayPal's login portal fixed

News by Jeremy Seth Davis

A two-factor authentication (2FA) vulnerability affecting PayPal's login portal process has been patched. Security researcher Shawar Khan notified the online payment company of the high-severity flaw in May and he was awarded an undisclosed bug bounty in July.

The vulnerability affects the PayPal's UK login portal and preview portal's interaction with the API. According to a Vulnerability Labs' security advisory, the Paypal preview login portal is missing a verification mechanism. “When logged in via PayPal UK login portal, it checks if the user account is already signed in from any other portal,” the advisory stated. PayPal issued 6.2 Common Vulnerability Scoring System rating.

A researcher disclosed a flaw in April that could have been exploited by an attacker to embed malicious code into the email headings sent via PayPal's portal.

In December 2015, a researcher discovered a critical vulnerability in one of PayPal's business websites that allowed remote code execution. The researcher, Michael “Artsploit” Stepankin, stated that he was able to exploit the flaw to gain access to production databases.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event 

Webcast: Understanding this year's biggest adversaries - and how to combat them 

Nation-state activity, versatile, slippery strategies and Big Game Hunting - the threats are real, dangerous and ever changing. 
Brought to you in partnership with Crowdstrike