A teenage Australian ‘white hat' hacker who found a flaw in PayPal's authentication system in June has now gone public on the problem because PayPal has still not fixed it.
But Melbourne, Victoria-based Joshua Rogers – who was arrested by armed police earlier this year after he alerted the Victorian Transportation Department to a leak in its 600,000-user database – has divided security industry opinion by going public, with one cyber expert accusing him of doing “a disservice to PayPal users by unnecessarily exposing them to new risks” and “a disservice to the security industry by perpetuating the stereotype of cowboy hackers”.
Rogers, who is 17, says in a 5 August blog post that PayPal's two-factor authentication (2FA) system can be bypassed. The flaw comes through the way PayPal (which is owned by eBay) allows users to link their eBay and PayPal accounts so when they sell something on the auction site, the fees automatically come out of their PayPal account.
When they register on PayPal the security system fails to check for a 2FA code. Rogers says this would allow hackers to bypass the security checks, send money and view and edit personal information, though they would need to know the user's eBay and PayPal login credentials.
He says he discovered the bug on 5 June and alerted PayPal the same day. But this week he has published full details of how the exploit works on YouTube and in his blog, saying: “Today, the 5th of August, I release my Paypal 2FA bypass exploit. It's been exactly two months since I've reported this bug, and due to the simplicity of it, I believe I've given Paypal long enough to fix it.”
Rogers told SCMagazineUK.com by email: “The bug could be fixed by copy and pasting code. Two months is certainly enough time to fix something that is as simple as adding a feature, that they have already made, to another part of their website.”
He added: “I haven't personally seen it exploited in the wild, but due to the simplicity, I suspect someone, somewhere, may have been abusing it.”
SC contacted PayPal but it was unable to comment by time of writing. Rogers told us: “Since the blog has been posted, I have not had any contact from Paypal [yet].”
Rogers attracted international media coverage at the start of this year when he found a bug in Victoria Transportation Department's user database that could allow a hacker to access the full credentials of its 600,000 customers, including their full names, email addresses, home and mobile phone numbers, dates of birth, and a nine-digit extract of credit card numbers used at the site.
In his blog, Rogers said he found the flaw on Boxing Day 2013 and reported it to around 30 of the transportation company's emails. Later he spoke to journalists. Then, he revealed, in May his home was raided by armed police, he was arrested and eventually accepted a police caution for the hack.
His revelation of the PayPal problem has been strongly criticised by UK-based Paco Hope, principal consultant with Cigital.
Hope told SCMagazineUK.com: “This is security ‘research' at its worst: combative, judgemental, arbitrary, and uninformed by the business needs of the software in question.
“Clearly the integration of the two businesses leverages this as a feature and must make deep changes to fix the problem. The changes will affect the user-experience of millions of users and the processing of millions of sales each day. The researcher, alone and with no acknowledgement of the business context at all, decided that they had ‘long enough' to change the way their services work.
“Building secure software is hard, and finding flaws is the easy part. This is a flaw, not a bug, and changing the way two of the internet's biggest online services interact simply cannot be done overnight.”
Hope added: “The researcher in question has done a disservice to PayPal users by unnecessarily exposing them to new risks. He has also done a disservice to the security industry as a whole, by perpetuating the stereotype of cowboy hackers who ignore business needs and who can't be trusted to follow a responsible disclosure process.”
In his defence, Rogers told SC via email: “Paypal is known to take way too long to fix things.”
Steve Smith, MD of IT security consultancy services firm Pentura, also said that the problem should have been fixed quicker by PayPal.
He told us in an email: “This is a fundamental flaw in how the authentication is handled, that's easy to avoid in the first place and simple to fix - so it's surprising that the issue hasn't yet been resolved.
“Two-factor authentication when properly executed can be secure, providing the user chooses a strong password. This exploit could present a risk for eBay and PayPal users that have their PCs stolen, or share PCs with others.”
PayPal has subsequently contacted SC and issued the following statement:
“We are aware of a two-factor authentication (2FA) issue that is limited to a small amount of integrations with Adaptive Payments. 2FA is an extra layer of security some customers have chosen to add to their PayPal accounts. We are working to get the issue addressed as quickly as possible. It is important to clarify that 2FA provides extra assurance to keep accounts secure, however usernames and passwords are still required to gain access to all PayPal accounts.
"Customers who do not use the PayPal security key (physical card or SMS codes) as an additional step to log into their accounts are not impacted in any way. If you have chosen to add 2FA to your PayPal account, your account will continue to operate as usual on the vast majority of PayPal product experiences. We have extensive fraud and risk detection models and dedicated security teams who work to help keep our customers' accounts secure from fraudulent transactions, everyday. We apologise for any inconvenience caused to affected customers who use our 2FA process and we will continue to work hard to address this issue.”