PayPal started out 2020 faced with security intelligence that a vulnerability could expose user passwords to a hacker. Now, another shoe has dropped.
A new security report contends that any hacker worth their salt can do an end-around the entire authentication procedure and gain complete access to a PayPal user’s account. To accomplish this feat, the cyber-thief can use stolen credentials that can be purchased on the dark web for as little as a dollar.
The new alert comes from CyberNews, which also voiced some concern that PayPal basically blew them off when they reported the hack.
“When our analysts discovered six vulnerabilities in PayPal -- ranging from dangerous exploits that can allow anyone to bypass their two-factor authentication (2FA), to being able to send malicious code through their SmartChat system -- we were met with non-stop delays, unresponsive staff, and lack of appreciation,” CyberNews’ Bernard Meyer stated.
“We would like PayPal to take this vulnerability more seriously,” CyberNews told Forbes’ Zak Doffman. “At the moment, [PayPal is] writing it off as something ‘out-of-scope’ just because it involves stolen credentials.”
Doffman says that the researchers at CyberNews went out of their way to demonstrate how the hackers worked their magic. “While there is no way of knowing the state of the back-end algorithm checking the process, it did appear at face value to bypass the check,” he wrote.
How hackers got around PayPal’s security
One of the key functionalities of PayPal is that the platform knows every little detail on both sides of a transaction -- seller and buyer, receiver and sender, etc. To make that happen seamlessly for the user, PayPal tracks a user’s activity, the types of devices a consumer uses, and any known bad actors trying to rip a consumer off. PayPal keeps all that data as close to its vest as possible.
PayPal’s alarm starts ringing if it notices that a consumer is, say, using a new phone to log into their account or is logging on from a location different than it’s used to seeing.
When that alarm goes off, PayPal presses the pause button and goes the extra length to make sure that it’s really who the consumer says they are. Once the user can verify that, the process is allowed to go on.
CyberNews claims that there’s a way around that prove-who-you-say-you-are pivot for the user. In the company’s demonstration to Doffman, it was able to prove that any hacker in possession of someone’s stolen credentials can bypass the system -- even masquerade as a PayPal support team member if necessary -- and continue on their merry way.
What to watch out for
In soap opera fashion, the same day that CyberNews clued PayPal in on what it found, PayPal retorted that it was already on the case. CyberNews confirmed as much, saying that its follow-up did indeed show that the vulnerability “seems to have been patched on PayPal’s side.”
Despite PayPal’s assurance, consumers should buckle down the next time they use the platform. CyberNews says the #1 thing consumers should be wary of is a pop-up that says “Download the new PayPal app.” In all likelihood, if a user takes the bait, their computer could be ravaged by malware.
“The worst case scenario is that an attacker, armed with stolen PayPal credentials, can change the account holder’s name,” Meyer claims. “Once they’ve completely taken over an account, the real account holder wouldn’t be able to claim that account, since the name has been changed and their official documents would be of no assistance.”