Teenage Australian hacker reveals PayPal flaw
A teenage Australian ‘white hat' hacker who found a flaw in PayPal's authentication system in June has now gone public on the problem because PayPal has still not fixed it.
But Melbourne-based Joshua Rogers – who was arrested by armed police earlier this year after he alerted the Victorian Transportation Department to a leak in its 600,000-user database – has divided security industry opinion by going public, with one expert accusing him of doing “a disservice to PayPal users by unnecessarily exposing them to new risks” and “a disservice to the security industry by perpetuating the stereotype of cowboy hackers”.
Rogers, who is 17, says in a 5 August blog post that PayPal's two-factor authentication (2FA) system can be bypassed. The flaw comes through the way PayPal (which is owned by eBay) allows users to link their eBay and PayPal accounts so when they sell something on the auction site, the fees automatically come out of their PayPal account.