PayPal Vulnerability Exposed by Previously Ignored 17-Year-Old

Future Tense
The Citizen's Guide to the Future
Aug. 5 2014 4:54 PM

PayPal Vulnerability Exposed by Previously Ignored 17-Year-Old

PayPal's two-factor authentication flaw needs fixing.

Photo by ERIC PIERMONT/AFP/Getty Images

Joshua Rogers, 17, lives in Melbourne, Australia. On June 5, he found a flaw in PayPal’s two-factor authentication security system. He reported it to PayPal that day. He says PayPal responded to him on June 27 and July 4, but it never fixed the vulnerability, so he did what teenagers (and people generally) often do and posted it on his blog.

The attack works only if a hacker knows her target’s eBay and PayPal login, but as PCWorld points out, malware to ascertain this information has existed for a really long time. (Hence the creation of two-factor authentication.) Once a hacker has both sets of login credentials, she can use a page where users link their eBay and PayPal accounts to create a cookie that tricks PayPal into thinking that the person being hacked is logged in. This keeps PayPal from initiating two-factor authentication.


Rogers published the hack on YouTube on June 20, and then on his blog on June 26. Then he republished it on his blog on Monday in an attempt to get PayPal’s attention. PCWorld notes that by publicly disclosing the vulnerability, Rogers sacrificed his chance at a reward for finding the bug. But he responded, “I don’t care about the money, no ... Money isn’t everything in this world.”

A PayPal spokesperson wrote in a statement, “We are aware of a two-factor authentication (2FA) issue that is limited to a small amount of integrations with Adaptive Payments. ... We are working to get the issue addressed as quickly as possible.” The statement goes on to emphasize that two-factor authentication is an optional and additional security measure, and that usernames and passwords in general haven't been compromised.

But if your account has been hacked this flaw in PayPal two-factor authentication could be a problem for you. So yeah, anytime you want to fix this, PayPal, that would be great.

Future Tense is a partnership of SlateNew America, and Arizona State University.

Lily Hay Newman is lead blogger for Future Tense.


The Slatest

Ben Bradlee Dead at 93

The legendary Washington Post editor presided over the paper’s Watergate coverage.

The Congressional Republican Digging Through Scientists’ Grant Proposals

Renée Zellweger’s New Face Is Too Real

Sleater-Kinney Was Once America’s Best Rock Band

Can it be again?

Whole Foods Is Desperate for Customers to Feel Warm and Fuzzy Again

The XX Factor

I’m 25. I Have $250.03.

My doctors want me to freeze my eggs.

The XX Factor
Oct. 20 2014 6:17 PM I’m 25. I Have $250.03. My doctors want me to freeze my eggs.

Forget Oculus Rift

This $25 cardboard box turns your phone into an incredibly fun virtual reality experience.

George Tiller’s Murderer Threatens Another Abortion Provider, Claims Free Speech

Walmart Is Crushing the Rest of Corporate America in Adopting Solar Power

  News & Politics
The World
Oct. 21 2014 3:13 PM Why Countries Make Human Rights Pledges They Have No Intention of Honoring
Oct. 21 2014 5:57 PM Soda and Fries Have Lost Their Charm for Both Consumers and Investors
The Vault
Oct. 21 2014 2:23 PM A Data-Packed Map of American Immigration in 1903
  Double X
The XX Factor
Oct. 21 2014 3:03 PM Renée Zellweger’s New Face Is Too Real
  Slate Plus
Behind the Scenes
Oct. 21 2014 1:02 PM Where Are Slate Plus Members From? This Weird Cartogram Explains. A weird-looking cartogram of Slate Plus memberships by state.
Brow Beat
Oct. 21 2014 9:42 PM The All The President’s Men Scene That Perfectly Captured Ben Bradlee’s Genius
Oct. 21 2014 5:38 PM Justified Paranoia Citizenfour offers a look into the mind of Edward Snowden.
  Health & Science
Climate Desk
Oct. 21 2014 11:53 AM Taking Research for Granted Texas Republican Lamar Smith continues his crusade against independence in science.
Sports Nut
Oct. 20 2014 5:09 PM Keepaway, on Three. Ready—Break! On his record-breaking touchdown pass, Peyton Manning couldn’t even leave the celebration to chance.