ADVERTISEMENT

We found PayPal vulnerabilities – but PayPal called them trivial

paypal sending money
Bernard Meyer
Bernard Meyer Senior Researcher
Feb 17, 2020 Updated: 8 July 2025 10 min read

Vulnerabilities we discovered

#1 Bypassing PayPal’s two-factor authentication (2FA)

PayPal's "2FA" security check, which is easily bypassable

How we did it

token values with permisions

What’s the worst case scenario here?

PayPal’s response

HackerOne's muted response to the PayPal 2FA bypass

#2 Phone verification without OTP

How we did it

editing phone number on paypal account

What’s the worst case scenario here?

PayPal’s response

#3 Sending money security bypass

  • You’re using a new device
  • You’re trying to send payments from a different location or IP address
  • There’s a change in your usual sending pattern
  • The owning account is not "aged" well (meaning that it’s pretty new)
  • "You'll need to link a new payment method to send the money"
  • "Your payment was denied, please try again later"

How we did it

What’s the worst case scenario here?

PayPal’s response

#4 Full name change

It was pretty easy to change our test account's name, bypassing PayPal's name change security
ADVERTISEMENT

How we did it

What’s the worst case scenario here?

PayPal’s response

#5 The self-help SmartChat stored XSS vulnerability

PayPal's SmartChat stored XSS vulnerability

How we did it

What’s the worst case scenario here?

PayPal’s response

#6 Security questions persistent XSS

How we did it

PayPal's security questions persistent XSS

What’s the worst case scenario here?

  • Showing a fake pop up that could say “Download the new PayPal app” which could actually be malware.
  • Changing the text user is adding. For example, the scammer can alter the email where the money is being sent.
  • Keylogging credit card information when the user inputs it.

PayPal’s response

PayPal’s reputation for dishonesty

The big problem with HackerOne

What it all means

  1. Buy PayPal accounts on the black market for pennies on the dollar. (On one blackhat forum, you can buy a $5,000 PayPal account for just $150, giving you a 3,333% ROI.)
  2. Use Vulnerability #1 to bypass the two-factor authentication easily.
  3. Use Vulnerability #3 to bypass the sending money security and easily send money from the linked bank accounts and cards.

Our hand-picked digital services for online presence and privacy

ADVERTISEMENT