Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I am trying to understand the logic behind following vulnerability, I believe th

ID: 658744 • Letter: I

Question

I am trying to understand the logic behind following vulnerability, I believe this a design flaw not only an implementation.

To me the problem with the two-factor authentication service at PayPal is that the server does not distinguish between authentication request coming from the mobile app and the web-app. For that reason when the server disable the two-factor authentication based on the mobile app request it got disabled for the user account, and not only the user mobile app. Is my interpretation correct?

PayPal Vulnerability

Post: PayPal Vulnerability

Status: Published

Vulnerability Description: It has recently reported that Paypal two factor authentication security measures can be bypassed. The vulnerability or flaw pertains to the way that PayPals authentication flow works with the services mobile apps for iOS and Android. PayPal gives users the ability to utilize two-factor authentication in a variety of ways, each which creates a one-time passcode for login. Two-factor forms are available to be used on the official PayPal website, but is not supported by PayPal mobile apps. Here is how it worked: When PayPal servers responded to a POST request sent from the mobile app for a two-factor enabled account. The application would show an error message telling the user two-factor was enabled and not supported, initially sending the user back to the login . But when the value in the server

Explanation / Answer

The vulnerability is in the fact that the application enforces second-factor auth verification client-side.

That is, the service itself does not require two-factor authentication, ever. But it is willing to process two-factor authentication if requested, and if the client app learns that account has two-factor enabled, then the app will attempt verification.

But if the client doesn't find out (or is modified to not care), then it won't request verification. And the backend service won't complain either.

The vulnerability can be summed up thusly: "Two-factor authentication is not enforced." Whether that's a design flaw or an implementation flaw depends on whether they meant for it to be this way or whether it was an accident. They haven't said either way.

Note that this vulnerability was discovered back in August by Joshua Rogers. The attribution you've supplied is incorrect.

Related Questions

I am trying to select all the values from a row in a table using sql and php in
Question #3859881
I am trying to separate a program into functions. I keep getting errors that I d
Question #3674635
I am trying to seperate a soil sample in lab. We have seperated the sample into
Question #797120
I am trying to set this Java program up correctly. It is supposed to read a PPM
Question #3803831
I am trying to set up a java programming scanner for my program. Hello! I cannot
Question #3926323
I am trying to set up a standard curve for my lab report which consists of diffe
Question #3561950
I am trying to set up my rectangle comparator class to print out the rectangles
Question #3929663
I am trying to show the propogation of this wave using matlab but i cannot get i
Question #1993180
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
I am trying to understand the handshake protocol, when we had our ssl debug mode
Next
I am trying to understand the point of Odata and when it would make sense. Right

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.