Powerful word brother! 4 easy steps to bypass PayPal two-factor authentication mechanism-vulnerability warning-the black bar safety net

ID MYHACK58:62201680903
Type myhack58
Reporter 佚名
Modified 2016-11-05T00:00:00


! Two-factor authentication, 2FA refers to the combination of password and a physical card or credit card, SMS, phone, token or fingerprint and other biological signs the two conditions of the user authentication method. This approach has for businesses, is mainly used to increase account security, better protect the user account security. Most other network service providers like PayPal also provides the user with two-factor authentication option. Two-step verification is a feature: when the user attempts to use the username and password of the login account, the server will send the user a one-time SMS verification code to verify the phone. Users need to have phone service to receive the server sends the verification code. If there is no mobile phone signal, then they're in no way receiving server sends a verification code, in other words, they can not pass through a standard double authentication mode login account. However, British security researcher Henry Hoggard still found a very simple way to bypass PayPal's two-factor authentication mechanism. To bypass the double authentication mechanism, a hacker can in one minute to easily control the user's PayPal account. This method is Hoggard in a no cell phone service, is what we say there is no signal in the hotel by chance found. Hoggard said that the problem appeared in the“try another way”at this link. PayPal to the account owner to provide this option to them on the phone there is no signal or the device is not around the case, you can still use your own account. When there is Phone No signal or the device is not connected to the case, PayPal will require the user to answer a secret question. ! Hoggard found that if an attacker runs a proxy server, it can intercept and save the PayPal request to the server, which makes an attacker able to tamper with the HTTP data and Cheat PayPal allows the attacker access to the Black accounts. In addition, the attacker needs from the HTTP request remove the“securityQuestion0”and“securityQuestion1”parameter. This kind of attack the attacker level is not high, basically belong to the entry level of the attack. Specific steps: 1. Hoggard login to his PayPal account and click on the“try another way”, he received from PayPal to the inquiry, whether to allow PayPal to send a one-time 2SV code to him. ! 2. Hoggard choose to answer secret question, but he did not with their own set of unique passwords, but in the provided text box, just enter a password. 3. Here, the Hoggard to use the proxy from the POST data, remove the two secret security questions. selectOption=SECURITY_QUESTION&securityQuestion0=test&securityQuestion1=test&jsEnabled=1&execution=e2s1&_sms_ivr_continue_btn_label=Continue&_default_btn_lable=Continue&_eventId_continue=Continue 4. Then, publish the data. What is amazing is that the account is actually by verifying the features of the eye are spicy, and lose money on. ! This is a real case, not joking, although simple, but very useful. If an attacker grasp the victim's PayPal username and password, they can bypass the 2SV and login the victims account. Since this vulnerability has a very big threat, Hoggard in the year 1 0 May 3, will this issue back to PayPal, after careful investigation, PayPal has been in the 1 0 on 2 1, will the bug fixes. In General, for all types of web services should be using two-factor authentication, in order to ensure further security. In addition, they should also have alternative certification programs, so that, even if the mobile device is lost of the case, as usual, to be able to access their account.