• Get in Touch
  • hi@isalmankhan.com
go back

PayPal Account Verification Bypass

25 September, 2015


So this a very simple bug that I found in PayPal back then in January 2015. I guess its Reproduction is the "Smallest Bug Reproduction Ever". Yes! that is right.

So the bug is that when someone logs-in to his/her PayPal account, due to some cases i.e Login from unusual location, entering wrong password first and then entering correct password etc... then the PayPal asks the user to verify his/her account ownership. The user then gets stuck at a page after logging in where the PayPal asks the user to verify account via SMS or Call. (The Phone Numbers that are in account appears there so you can choose and PayPal will send code via SMS/Call). So the user will have to select a phone number, choose if the user wants to receive verification code via SMS or Call. Then PayPal sends a verification code and when the user enters the correct verification code there on that page, the login then gets completely successful and then the user is able to perform further actions like account overview, send money, receive money, account settings etc...

PayPal account ownership verification page

Reproduction: So now suppose you don't have access to that phone number entered there so let's do the bypass! (It's easy af). Login to PayPal, when it asks to verify the account ownership so just leave it as it is and open https://www.paypal-community.com/ in another tab. Then click on the Login button there (Located at the top) and enter your correct PayPal login. After logging-in to the PayPal Community site, click on PayPal Home link at the top which redirects to main PayPal.com site and BOOOOOMMMMMM!!!. Yes, you just bypassed the verification. Seem pretty easy right? Yes, it is pretty easy to bypass.

I reported it to PayPal and then they fixed it after like month or two. They claimed that when a person does this, our "INTERNAL SECURITY SYSTEM" prevents the user from doing further actions but they were wrong. I made a video then (Chill! I'll public it) and in which I showed them that after this bypass, an attacker can send money, receive money, withdraw money, edit account settings, I mean just can do everything.

The problem caused because the PayPal Community site login was linked with the original PayPal.com login. They both had same login. In the fix, they've separated the logins for both. Though, I haven't tested the new login function yet but you guys should go for it and see if you can find something else :)

Impact: Well, such bypasses does not need any impact explanation but the most important impact of it that I've in my mind is that there are alot of websites in the dark web that sells PayPal logins. So when the hackers/bad-guys use those logins, this verification is the only single thing that prevents the attacker from harming the innocent (!nN0c3nT :'D) user. Bypassing this verification means full access to the account and then do whatever you want.

Ps: I'm still not that much good in writing but I hope you like it.