In this post, i would like to share a very simple logic flaw I found earlier this year I have found a way to circumvent mobile verification by utilizing a different portal for logging into a paypal account. The flaw lies in the fact that paypal does not perform two step verification/authorization checks on all different portals that are used to log into a paypal account. Ideally, there should be a centralized authentication mechanism to authenticate the user or else additional authorization checks have to be applied to all different portals that are used to log into paypal ccount.
In this case, We could use the mobile activation page to log into the paypal account without happen to use a mobile phone.
https://www.paypal.com/us/cgi-bin/?cmd=_mobile-activate-outside
Demonstration
Unfortunately, the bug was marked as duplicate so it was not eligible for a bounty, however that really doesn't matter as the fun and the learning is more important. However, there are still other ways to circumvent mobile verification, however i did not wish to report.
Bypassing Payment Restrictions
After you have bypassed paypal might restrict you from transferring funds to another account, however there is a simple way of bypassing it as well, all you have to do is to create a donation button or any other payment button from paypal and directly use that to transfer money, paypal does not enforce any restriction on it.
No comments:
Post a Comment