Major security flaw - the system keeps re-enabling auto login even after I keep turning it off

j_a_s
Contributor
Contributor
Posted on
‎Aug-26-2020 01:36 PM

I've been dealing with customer support all day over this issue and they say they can do nothing but I want to raise it here as well since it's a major security flaw. Paypal is a financial site and therefore security controls should be very strong. I always log out whenever I complete a transaction and I never click the "stay logged in" button that's always presented. Now, every time I log in, I get an email saying "We've made it easier for you to check out with PayPal. Since we recognize this device, we'll automatically log you in so you can skip typing your password at checkout! ... If this is a shared device, or you don't want us to automatically log you in, we recommend that you turn this feature off." I go in and manually turn the feature off. Then the next time I log in to make a transaction, I get the same email again, the feature is re-enabled again, and I have to go in to manually turn it off again. This is totally unacceptable. I'm the only one who should be able to determine if my device is trusted and and if I want to enable auto login. I was told that there's nothing they can do and that I'll simply have to manually disable the feature every time. This is a major security flaw and it's a big deal. I was told that my concern has been escalated but I'm posting this here in the hopes of raising the visibility of this issue. Thanks. 

Login to Me Too
Login to Reply or Kudo
116 REPLIES 116

goodapple15
Contributor
Contributor
‎Dec-12-2021 03:37 PM

This is now my #1 reason to NOT use PayPal.

If someone steals my phone, all my bank apps are locked by password authentication or biometric authentication IN ADDITION TO the phone lock.

That's how I want it.

But if someone steals my phone and opens PayPal, they can immediately use as much $ as is available in all my linked accounts, unless I continually remember to constantly turn this feature off.

If this ever actually occurs for me, I will likely permanently abandon the PayPal platform in favor of alternatives.

Login to Me Too
Login to Reply or Kudo

PayPal_JonK
Moderator
Moderator
‎Dec-13-2021 03:34 PM

Hello @goodapple15 

Welcome to the PayPal Community! I certainly understand your concern. If that ever happens, you can manage your active logins with the following steps: 

  1. Login to your PayPal account through a browser (not a mobile app)
  2. Click Settings (gear icon)
  3. Click Security
  4. Click Manage next to Manage your logins
  5. Choose to remove the active login you wish

I also posted some steps above regarding removing any Auto Logins as well.


I hope that helps!


 - Jon K

 


If you find this or any other post was helpful, make our community better by giving kudos or accepting it as a solution.
Login to Me Too
Login to Reply or Kudo

goodapple15
Contributor
Contributor
‎Dec-14-2021 08:00 AM

Thank you Jon, that makes sense.

 

My plan has been to remote-wipe my device should it ever be lost or stolen, but I hadn't thought of removing my active login(s) as well.  I will put that in my mental notes as part of my contingency plan.  That will also be a more certain step, as it will occur server-side.

 

Thank you!

Login to Me Too
Login to Reply or Kudo

texanNUmbria
Contributor
Contributor
‎Dec-26-2021 11:54 PM

To the moderator who suggest turning off the ability - This does not work.   I have ALWAYS had autologin disabled, yet every 3rd or so login, Paypal re-enables autologin.  Your algorithm is obviously not taking the choice I have made to disable autologin into account, and repeatedly turns it back on.  

 

What stupidity.  Fix this already.

Login to Me Too
Login to Reply or Kudo

COTestDummy
Contributor
Contributor
‎Jul-13-2022 10:04 AM

No, this does not help!  Whenever I make a purchase, PayPal re-enables it EVERY TIME.  How does one stop this from happening PERMANENTLY?

Login to Me Too
Login to Reply or Kudo

wfredk
Member
Member
‎Dec-13-2022 12:14 PM

The problem with this procedure is IT IS NOT A PERMANENT SETTING - PayPal turns the **bleep** security hole back on EVERY time.

Login to Me Too
Login to Reply or Kudo

clee6
Contributor
Contributor
‎Aug-27-2020 06:30 PM

I have the same problem -- you are right -- this is unacceptable. I turn off the auto enable login on my phone, then do a test -- go to a site, place an order and enter paypal to pay and it processes immediately without asking for my password. HUGE SECURITY FLAW THAT REQUIRES IMMEDIATE ATTENTION AND RESPONSE

Login to Me Too
Login to Reply or Kudo

hopefullycos
Contributor
Contributor
‎Oct-26-2020 09:00 AM

Agreed, this needs to be fixed!

Login to Me Too
Login to Reply or Kudo

p_k_g
New Community Member
‎Aug-29-2020 11:31 AM

Strongly agree that this needs to be fixed.  I have turned off this "feature" at least a half dozen times now.  Shouldn't be difficult to add a "non-consent" ("No, and don't ask again") indicator to the account.

Login to Me Too
Login to Reply or Kudo

britanico
Contributor
Contributor
‎Aug-31-2020 02:46 PM

I have the same problem. IT IS A SIGNIFICANT SECURITY ISSUE that is also very annoying. If a customer has gone to the trouble of logging to turn this "feature" off why is PayPal then turning it back on? PayPal has this backwards. This is a dangerous feature that should requires an opt-in with due warnings about the obvious risks.

Login to Me Too
Login to Reply or Kudo

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.