PayPal Vulnerability Exposed by Previously Ignored 17-Year-Old

The Citizen's Guide to the Future
Aug. 5 2014 4:54 PM

PayPal Vulnerability Exposed by Previously Ignored 17-Year-Old

PayPal's two-factor authentication flaw needs fixing.

Photo by ERIC PIERMONT/AFP/Getty Images

Joshua Rogers, 17, lives in Melbourne, Australia. On June 5, he found a flaw in PayPal’s two-factor authentication security system. He reported it to PayPal that day. He says PayPal responded to him on June 27 and July 4, but it never fixed the vulnerability, so he did what teenagers (and people generally) often do and posted it on his blog.

The attack works only if a hacker knows her target’s eBay and PayPal login, but as PCWorld points out, malware to ascertain this information has existed for a really long time. (Hence the creation of two-factor authentication.) Once a hacker has both sets of login credentials, she can use a page where users link their eBay and PayPal accounts to create a cookie that tricks PayPal into thinking that the person being hacked is logged in. This keeps PayPal from initiating two-factor authentication.


Rogers published the hack on YouTube on June 20, and then on his blog on June 26. Then he republished it on his blog on Monday in an attempt to get PayPal’s attention. PCWorld notes that by publicly disclosing the vulnerability, Rogers sacrificed his chance at a reward for finding the bug. But he responded, “I don’t care about the money, no ... Money isn’t everything in this world.”

A PayPal spokesperson wrote in a statement, “We are aware of a two-factor authentication (2FA) issue that is limited to a small amount of integrations with Adaptive Payments. ... We are working to get the issue addressed as quickly as possible.” The statement goes on to emphasize that two-factor authentication is an optional and additional security measure, and that usernames and passwords in general haven't been compromised.

But if your account has been hacked this flaw in PayPal two-factor authentication could be a problem for you. So yeah, anytime you want to fix this, PayPal, that would be great.

Future Tense is a partnership of SlateNew America, and Arizona State University.

Lily Hay Newman is lead blogger for Future Tense.


War Stories

The Right Target

Why Obama’s airstrikes against ISIS may be more effective than people expect.

Why Is This Mother in Prison for Helping Her Daughter Get an Abortion?

The XX Factor
Sept. 23 2014 11:13 AM Why Is This Mother in Prison for Helping Her Daughter Get an Abortion?

Divestment Is Fine but Mostly Symbolic. There’s a Better Way for Universities to Fight Climate Change.

I Stand With Emma Watson on Women’s Rights

Even though I know I’m going to get flak for it.

It Is Very Stupid to Compare Hope Solo to Ray Rice

Building a Better Workplace

In Defense of HR

Startups and small businesses shouldn’t skip over a human resources department.

It’s Legal for Obama to Bomb Syria Because He Says It Is

How Ted Cruz and Scott Brown Misunderstand What It Means to Be an American Citizen

  News & Politics
War Stories
Sept. 23 2014 4:04 PM The Right Target Why Obama’s airstrikes against ISIS may be more effective than people expect.
Sept. 23 2014 2:08 PM Home Depot’s Former Lead Security Engineer Had a Legacy of Sabotage
Sept. 23 2014 1:57 PM Would a Second Sarkozy Presidency End Marriage Equality in France?
  Double X
The XX Factor
Sept. 23 2014 2:32 PM Politico Asks: Why Is Gabby Giffords So “Ruthless” on Gun Control?
  Slate Plus
Political Gabfest
Sept. 23 2014 3:04 PM Chicago Gabfest How to get your tickets before anyone else.
Brow Beat
Sept. 23 2014 4:45 PM Why Is Autumn the Only Season With Two Names?
Future Tense
Sept. 23 2014 5:36 PM This Climate Change Poem Moved World Leaders to Tears Today
  Health & Science
Sept. 23 2014 4:33 PM Who Deserves Those 4 Inches of Airplane Seat Space? An investigation into the economics of reclining.
Sports Nut
Sept. 18 2014 11:42 AM Grandmaster Clash One of the most amazing feats in chess history just happened, and no one noticed.