In this post, i would like to share a very simple logic flaw I found earlier this year I have found a way to circumvent mobile verification by utilizing a different portal for logging into a paypal account. The flaw lies in the fact that paypal does not perform two step verification/authorization checks on all different portals that are used to log into a paypal account. Ideally, there should be a centralized authentication mechanism to authenticate the user or else additional authorization checks have to be applied to all different portals that are used to log into paypal ccount.

In this case, We could use the mobile activation page to log into the paypal account without happen to use a mobile phone.

https://www.paypal.com/us/cgi-bin/?cmd=_mobile-activate-outside

Demonstration

Unfortunately, the bug was marked as duplicate so it was not eligible for a bounty, however that really doesn't matter as the fun and the learning is more important. However, there are still other ways to circumvent mobile verification, however i did not wish to report.

Bypassing Payment Restrictions

Example

https://www.paypal.com/id/cgi-bin/webscr?cmd=_flow&SESSION=OvGwImW-aZGi7_Jf-oBOYlXFljX6KfnUMxeUoxyow7Woq8ZZYb7SihFpKQy&dispatch=50a222a57771920b6a3d7b606239e4d529b525e0b7e69bf0224adecfb0124e9b61f737ba21b08198d1a93361f052308ac20c1249d8113f4c