The Vulnerabilities of PayPal and How to Avoid Them (Part 1)

PayPal has been on the hot seat ever since the discovery of its highly severe security vulnerabilities has been published by CyberNews mid of February. The report was made by the research team of the said publication, which included a complaint that PayPal did not take them seriously. To quote, “When our analysts discovered six vulnerabilities in PayPal – ranging from dangerous exploits that can allow anyone to bypass their two-factor authentication (2FA), to being able to send malicious code through their SmartChat system – we were met with non-stop delays, unresponsive staff, and lack of appreciation”.

It appears that the debate between CyberNews and PayPal won’t end anytime soon as the latter initially refused to admit that the said vulnerabilities don’t pose a threat. But let’s leave the debate to them and focus on the issue instead. With over 300 million PayPal users all over the world, it’s highly imperative that people are aware that this is happening. As of the time of writing, there has been no report of anyone being a victim of these threats yet, but it’s better to be safe than sorry. As per the CyberNews team itself, they have made the report public to warn PayPal users before hackers exploit those security flaws. It is worth noting that the said team did conduct some tests that lead to their discovery. So what are those PayPal vulnerabilities discovered by CyberNews? This two-part article will discuss the 6 vulnerabilities in part 1 and the ways on how to avoid them in part 2.

1. PayPal’s two-factor authentication (2FA) can be bypassed

The CyberNews team called PayPal’s double-checking of credentials when a user logs in from a different device as two-factor authentication. Apparently, their team was able to hack a sample account using the PayPal mobile app and a MITM proxy. While PayPal does have the real 2FA process, it can’t be ignored that there are chances of accounts still being hacked one way or another, despite the said process. After all, not all PayPal users have their 2FA enabled, and hackers can easily buy credentials from the market, log in with it, and bypass 2FA in just a matter of a few minutes.

2. No One Time Password (OTP) phone verification

The CyberNews team was easily able to confirm a new phone number without being asked for an OTP. If PayPal doesn’t resolve this as soon as possible, it opens up a lot of opportunities for scammers, with being able to create a lot of fraudulent accounts to be the most common issue.

3. Bypassing sending money security measures

It’s worth mentioning that PayPal does have security measures in place when someone is sending money. These security measures are triggered under certain circumstances, such as when someone uses a different device or trying to send money from a different IP address. However, as directly related to vulnerability #1, the CyberNews team was easily able to bypass it, therefore hackers can also do the same.

4. Complete change of name instead of just 1 or 2 letters

PayPal has a default process that allows one time changing 1 or 2 letters in the account’s name, and that option disappears soon after it’s done. However, the CyberNews team was able to change a name completely from “Tester IAmTester” to “christin christina” by capturing the requests and repeating it every time by changing 1 to 2 letters at a time. Obviously, hackers can do that quite easily too, and once they did, the real account holder will no longer have access to his or her account since the name has been changed completely.

5. PayPal’s SmartChat is vulnerable

The CyberNews team discovered that PayPal’s self-help chat called SmartChat doesn’t have a form validation that’s crucial to check the texts that a person writes so, they were able to attach their malicious payload during the test. This will allow any hacker to capture customer support session cookies to access the user’s account.

6. Cross-Site Scripting (XSS) on security questions

Since PayPal doesn’t sanitize its security questions appropriately, the CyberNews team was able to inject their test code to the account, which resulted in a lot of clickable links. If attackers will do the same thing, they will be able to grab the users’ sensitive data.

Watch out for part 2 of this article that will discuss how to avoid these vulnerabilities.


©2018 by Interesting Ideas. Proudly created with