Joshua Rogers, 17, lives in Melbourne, Australia. On June 5, he found a flaw in PayPal’s two-factor authentication security system. He reported it to PayPal that day. He says PayPal responded to him on June 27 and July 4, but it never fixed the vulnerability, so he did what teenagers (and people generally) often do and posted it on his blog.
The attack works only if a hacker knows her target’s eBay and PayPal login, but as PCWorld points out, malware to ascertain this information has existed for a really long time. (Hence the creation of two-factor authentication.) Once a hacker has both sets of login credentials, she can use a page where users link their eBay and PayPal accounts to create a cookie that tricks PayPal into thinking that the person being hacked is logged in. This keeps PayPal from initiating two-factor authentication.
Rogers published the hack on YouTube on June 20, and then on his blog on June 26. Then he republished it on his blog on Monday in an attempt to get PayPal’s attention. PCWorld notes that by publicly disclosing the vulnerability, Rogers sacrificed his chance at a reward for finding the bug. But he responded, “I don’t care about the money, no ... Money isn’t everything in this world.”
A PayPal spokesperson wrote in a statement, “We are aware of a two-factor authentication (2FA) issue that is limited to a small amount of integrations with Adaptive Payments. ... We are working to get the issue addressed as quickly as possible.” The statement goes on to emphasize that two-factor authentication is an optional and additional security measure, and that usernames and passwords in general haven't been compromised.
But if your account has been hacked this flaw in PayPal two-factor authentication could be a problem for you. So yeah, anytime you want to fix this, PayPal, that would be great.
TODAY IN SLATE
Blacks Don’t Have a Corporal Punishment Problem
Americans do. But when blacks exhibit the same behaviors as others, it becomes part of a greater black pathology.
I Bought the Huge iPhone. I’m Already Thinking of Returning It.
Scotland Is Just the Beginning. Expect More Political Earthquakes in Europe.
Students Aren’t Going to College Football Games as Much Anymore
And schools are getting worried.
Two Damn Good, Very Different Movies About Soldiers Returning From War
Lifetime Didn’t Think the Steubenville Rape Case Was Dramatic Enough
So they added a little self-immolation.
The Most Terrifying Thing About Ebola
The disease threatens humanity by preying on humanity.