PayPal Vulnerability Exposed by Previously Ignored 17-Year-Old

The Citizen's Guide to the Future
Aug. 5 2014 4:54 PM

PayPal Vulnerability Exposed by Previously Ignored 17-Year-Old

PayPal's two-factor authentication flaw needs fixing.

Photo by ERIC PIERMONT/AFP/Getty Images

Joshua Rogers, 17, lives in Melbourne, Australia. On June 5, he found a flaw in PayPal’s two-factor authentication security system. He reported it to PayPal that day. He says PayPal responded to him on June 27 and July 4, but it never fixed the vulnerability, so he did what teenagers (and people generally) often do and posted it on his blog.

The attack works only if a hacker knows her target’s eBay and PayPal login, but as PCWorld points out, malware to ascertain this information has existed for a really long time. (Hence the creation of two-factor authentication.) Once a hacker has both sets of login credentials, she can use a page where users link their eBay and PayPal accounts to create a cookie that tricks PayPal into thinking that the person being hacked is logged in. This keeps PayPal from initiating two-factor authentication.


Rogers published the hack on YouTube on June 20, and then on his blog on June 26. Then he republished it on his blog on Monday in an attempt to get PayPal’s attention. PCWorld notes that by publicly disclosing the vulnerability, Rogers sacrificed his chance at a reward for finding the bug. But he responded, “I don’t care about the money, no ... Money isn’t everything in this world.”

A PayPal spokesperson wrote in a statement, “We are aware of a two-factor authentication (2FA) issue that is limited to a small amount of integrations with Adaptive Payments. ... We are working to get the issue addressed as quickly as possible.” The statement goes on to emphasize that two-factor authentication is an optional and additional security measure, and that usernames and passwords in general haven't been compromised.

But if your account has been hacked this flaw in PayPal two-factor authentication could be a problem for you. So yeah, anytime you want to fix this, PayPal, that would be great.

Future Tense is a partnership of SlateNew America, and Arizona State University.

Lily Hay Newman is lead blogger for Future Tense.



Blacks Don’t Have a Corporal Punishment Problem

Americans do. But when blacks exhibit the same behaviors as others, it becomes part of a greater black pathology. 

I Bought the Huge iPhone. I’m Already Thinking of Returning It.

Scotland Is Just the Beginning. Expect More Political Earthquakes in Europe.

Students Aren’t Going to College Football Games as Much Anymore

And schools are getting worried.

Two Damn Good, Very Different Movies About Soldiers Returning From War

The XX Factor

Lifetime Didn’t Think the Steubenville Rape Case Was Dramatic Enough

So they added a little self-immolation.

Medical Examiner

The Most Terrifying Thing About Ebola 

The disease threatens humanity by preying on humanity.

Lifetime Didn’t Find the Steubenville Rape Case Dramatic Enough, So They Added Self-Immolation

Why Hillary Clinton and Other Democrats Are Shrewd to Frame All Issues As “Women’s Issues”

  News & Politics
Sept. 20 2014 11:13 AM -30-
Business Insider
Sept. 20 2014 6:30 AM The Man Making Bill Gates Richer
Sept. 20 2014 7:27 AM How Do Plants Grow Aboard the International Space Station?
  Double X
The XX Factor
Sept. 19 2014 4:58 PM Steubenville Gets the Lifetime Treatment (And a Cheerleader Erupts Into Flames)
  Slate Plus
Slate Picks
Sept. 19 2014 12:00 PM What Happened at Slate This Week? The Slatest editor tells us to read well-informed skepticism, media criticism, and more.
Brow Beat
Sept. 20 2014 3:21 PM “The More You Know (About Black People)” Uses Very Funny PSAs to Condemn Black Stereotypes
Future Tense
Sept. 19 2014 6:31 PM The One Big Problem With the Enormous New iPhone
  Health & Science
Bad Astronomy
Sept. 20 2014 7:00 AM The Shaggy Sun
Sports Nut
Sept. 18 2014 11:42 AM Grandmaster Clash One of the most amazing feats in chess history just happened, and no one noticed.