It is widely recommended that you use Two-Factor authentication on as many accounts as possible because it is supposed to provide a secondary layer of security that makes it almost impossible to hack your accounts. Typically the second layer of security is a randomly generated code that can be generated by a text message, email or authenticator app on a smartphone such as Google Authenticator. However, it appears 2FA is not as secure as previously thought, at least not PayPal’s implementation of it. PayPal mobile apps cannot be used to access 2FA protected accounts because after the log-in procedure is conducted the lack of a supplementary code triggers a return signal to the main server to block access. However, it turns out that turning the phone into airplane mode and then reenabling connectivity to block that return signals allows you to gain access to the account without a 2FA code being required. Apparently the oversight occurs because during the login procedure a session token is provided which is not revoked by the returning signal because it gets blocked.
The security firm discovered the flaw on April 23rd and and received a response 2 days later. The security form announced there would be a public disclosure of the flaw on June 25th (yesterday) giving PayPal time to fix the issue. PayPal addressed the issue in a blog post claiming they have a temporary fix for the problem which effectively requires mobile app users to log in through the main website instead of the app thus meaning the the flaw can no longer be carried out.
Source: DuoSecurity
Image courtesy of PayPal
