A teenage whitehat hacker said he has found a simple way that attackers can bypass the two-factor authentication system PayPal uses to protect user accounts.
The circumvention requires little more than spoofing a browser cookie set when users link their eBay and PayPal accounts, according to Joshua Rogers, a 17-year-old living in Melbourne, Australia. Once the cookie—which is tied to a function PayPal identifies as "=_integrated-registration"—is active in a user's browsing session, the two-factor authentication is circumvented, Rogers reported. That means attackers who somehow acquire someone else's login credentials would be able to log in without having to enter the one-time passcode sent to the account holder's mobile phone.
Rogers said he reported the vulnerability privately to PayPal on June 5. He said he went public two months later after receiving no response. He went on to write: