As a precaution, the company has disabled the ability of customers with 2FA enabled to log in through PayPal mobile apps and other mobile apps, Nayar said. However, those customers can still use their accounts on mobile devices by visiting the PayPal mobile site instead, he said.
It would have been easy for someone else to discover this issue in the past, especially since the problem has likely existed for a long time, said Zach Lanier, a senior security researcher at Duo Security. The strange behavior on iOS where the app briefly showed information about the account before locking the user out was enough for Saltman, who is not a security researcher, to try the airplane-mode trick, he said.
It would have taken someone with a hacker mindset from 30 minutes to an hour to reverse engineer the whole process and figure out what happens underneath, Lanier said. PayPal should have been able to find the underlying issue back in March when Saltman first reported the airplane-mode bypass to the company, he said.
Sign up for Computerworld eNewsletters.