Researchers say they found a hole in PayPal’s security. PayPal says it’s no big deal
More than two weeks after a third party publicized security vulnerabilities in PayPal’s service, the online payments giant hasn’t fixed them while denying there’s a problem.
Cybersecurity publication CyberNews reported in February that it had discovered six vulnerabilities in PayPal’s systems. One of the most serious would allow hackers with stolen login information to bypass PayPal’s usual controls and take over a victim’s account.
PayPal says the bypass isn’t a threat because of existing safeguards it has in place.
CyberNews says the main vulnerability is in a PayPal security check called “Authflow,” which detects whether a login attempt is made from a new device, location, or IP address, and can block the login if it’s suspicious. Bypassing this system, CyberNews says, could let attackers who have obtained customer login information to take over accounts from a phone or PC halfway around the world.
Because PayPal has not patched the vulnerability, CyberNews has not fully disclosed how it works. Zak Doffman, a cybersecurity contributor for Forbes, recently wrote that CyberNews had demonstrated the exploit to him, and that “it did appear at face value to bypass the [device and IP] check.”
HackerOne, a service that handles security vulnerability reports for PayPal, declined to comment to Fortune. But CyberNews shared communications in which HackerOne downplayed the significance of the CyberNews report, saying “there does not appear to be any security implications as a direct result of this behavior” because the exploit requires the attacker to already have the victim’s account password. PayPal does not dispute the validity of CyberNews’ core findings, but it says that it does not consider issues involving stolen credentials to be bugs.
However, PayPal account information is frequently offered for sale on darkweb marketplaces, often for pennies. Login information can be obtained using techniques including “credential stuffing,” which can detect whether a password stolen from one site has been re-used for a PayPal account.
However, PayPal says in statements to Fortune that, even if a hacker exploited the flaw discovered by CyberNews, “there are multiple additional compensating controls for users whose accounts are compromised, including fraud prevention and dispute processes,” and that “these claims present limited real-world impact.” The statement suggests PayPal would reverse fraudulent charges or otherwise compensate users whose accounts are compromised using the method.
PayPal also recommended that users implement two-factor authentication “whenever possible” to prevent account compromise, though it is not required.
Additionally, CyberNews researchers says PayPal’s bug-reporting procedures conflict with widely-accepted standards, and have stymied efforts to report and fix the vulnerabilities. The publication says it tried to report its findings directly to PayPal in November, but was unable to get much of a response.
Instead of acting on the tip, PayPal shortly thereafter referred the researchers to a bug bounty program managed by HackerOne that provides compensation for reports of security vulnerabilities. CyberNews reported its findings through HackerOne in January.
However, CyberNews lead researcher Bernard Meyer says it had contacted PayPal directly because submitting the tip through a bounty program wasn’t CyberNews’ first choice: “The point wasn’t for us to get money, it was for PayPal to patch something that effects thousands or millions of people.”
More must-read stories from Fortune:
—How 5G promises to revolutionize farming
—Did the ‘techlash’ kill Alphabet’s city of the future?
—College backlash against facial recognition technology grows
—In A.I., what would Jesus do?
—Coronavirus is giving China cover to expand its surveillance. What happens next?
Catch up with Data Sheet, Fortune’s daily digest on the business of tech.