PayPal Community

Adding in my vote to get this hilariously bad feature removed. I've started getting text messages to my phone from people trying to retrieve a one time code. All my 2FA and security questions get bypassed because a malicious acgor can just click a button to send a code, and if they have spoofed my sim - then there goes my account (and bank account probably). Definitely considering closing PayPal for this reason. To PayPal - why do you think no other companies (okay maybe one or two) offer one-time passwords? Have a little think.

I just deleted my account for this.  I've seen it all over the place and it is not a risk I'm willing to carry.  This should NOT be allowed as an option via paypal's integration logic.  You can't push the blame to downstream consumers when THEY ARE PROVIDED THE OPTION BY PAYPAL.

I wrote an article on Medium detailing this issue, and I mentioned this thread and quoted some of the users here in it: https://medium.com/@jewbixcube/paypal-allows-bypassing-two-factor-auth-with-a-button-click-claims-it...

 

Please help get the word out there on this irresponsible security flaw. Share it on Twitter, Facebook, etc. and tag media outlets in your post like TechCrunch, Wired, Engadget, CNET, Ars Technica, and also NY Times, Fox, CNN, etc.

 

It's the only way we can draw attention and awareness to the problem. The PayPal moderators have stopped responding to the thread a long time ago -- so there's no other way to get any kind of meaningful response other than getting the issue re-shared by one of these big media outlets to the point where it puts pressure on PayPal to actually do something about it.

 

Thanks in advance for sharing it. Let me know if there's anything I can improve upon.

I've pulled all my payment methods and bank account off PayPal until this is fixed, if it ever is. What is the point of using 2FA if it can be bypassed so easily? PayPal is compromising its users' finances. 

UPDATE! It seems like PayPal has removed the "Log in with a one-time code" button on the U.S. version of their site. Apparently it had already been removed in non-U.S. versions and now it has been removed in the U.S. as well.

 

👏👏👏

I am still given the option to log in with a one-time passcode.

Hmm, it must be rolling out to users incrementally.

Me and another commenter on my Medium article seem to have the one-time button removed. Hopefully it continues to be removed across all users' accounts.

On the bright side, I haven't been able to dig up the option to log in with just an SMS code in a while. (Read through this topic to find my earlier posts). I'm not convinced that this is entirely fixed because it seemed to intermittently come and go for a while. But personally I haven't seen it. My list of active second factors on my security page now includes a hardware security key and auth codes generated on my phone. I don't recall if sms was ever explicitly on the list but it's not there now. However, when I try to sign in, *after* putting my password, I can still bypass my preferred second factors and get an SMS. I'm glad that it's at least combining this with a password but I do not want it at all! Come on! Worse, I've stumbled into a new problem. If I don't give my password I can do a password reset via SMS code. When I do this, most sites will drop you back at the login page and make you sign in anyway, including any second factors you have turned on. Not Paypal! Once I put in the code from an SMS and type a new password, I'm logged into my account. You're reading that right. In effect, this is exactly the same scenario as before: no password, SMS code, no MFA, boom logged in. But it's even worse, because now the attacker has also *reset my password*at the same time. Wtf PayPal! It's one thing to force me to use SMS as a second factor when I already have two others turned on. It's a whole other world of stupid to give login and password reset control via a text message. The correct password emergency reset flow, which you've somehow apparently never seen, is: Send a code or link to *email* Allow password reset (Send a security notice via email so the user knows what happened, which you also didn't do) Redirect the user to the normal log in page in order to use her new password When logging in, still require the second factors as normal. It's not that complex. Login and password reset flow are, like, a completely solved technology. We've been doing this for decades. Just do what myspace does, dang.

You should update your medium article again, what I've described above is still a huge problem