Paypal has patched a boneheaded two factor authentication breach that allowed attackers to switch off the critical account control in minutes by changing a zero to a one. British MWR InfoSecurity consultant Henry Hoggart (@_mobisek) discovered and quietly reported the flaw to the payment giant. Attackers with username and passwords in hand need only mess with post requests changing securityquestion0 to securityquestion1 for two factor authentication to be bypassed.
View full story
ORIGINAL SOURCE: The Register