Things to know:
- I have an eBay account
- I have a PayPal account
- I turned on 2FA for my PayPal account
I’m just an average eBay customer having my PayPal account linked. No matter why, but recently I changed my PayPal account. Few days ago I realized my eBay and PayPal accounts were not synced as eBay had my prior PayPal account. So I just unlinked them and tried to link my new PayPal account. Theoretically it’s easy. Here is the official guide:
- Click My eBay at the top of most eBay pages.
- Click the Account tab.
- Click the “PayPal Account” link on the left side of the page.
- Click the Link My PayPal Account button.
- You’ll be asked to log into PayPal to finish linking your accounts.
Step 5 can be tricky though. When you enter your username and password (first factor) you are redirected to a page on which you can click on the “SEND” button so you receive the second factor code via text message. You enter the code and magic SHOULD happen. Magic means you should be redirected back to eBay. In reality you’re redirected to the PayPal login page again (username and password). I repeated these steps at least 5 times and got the same result.
Yes – I tried all the classics: logout from eBay and PayPal, clear the browser cache, private browsing, new browser, google the problem … nothing worked.
I suspected it’s not a real issue. If it would be a bug, the Internet would be full of it. eBay and PayPal are big players, if the integration breaks between these two that’s a big thing, right? So I fired up Burp to see what’s going on and what I found was a kind of shocking. No surprise, when you click on the “Link My PayPal” account link on eBay a lot of things happen. There are approx. 10 calls within the eBay domain, but I was not interested in those. Of course at some point in time you are redirected to paypal.com. The key is the last eBay URL before you leave the site.
http://shiptrack.ebay.com/ws/eBayISAPI.dll?PayPalRegistrationRedirect& ru=http%3A%2F%2Fmy.ebay.com%2Fws%2FeBayISAPI.dll%3FMyEbay%26CurrentPage%3DMyeBayMyAccounts& sru=http%3A%2F%2Fmy.ebay.com%2Fws%2FeBayISAPI.dll%3FMyEbay%26CurrentPage%3DMyeBayMyAccounts&flowtype=4& eru=http%3A%2F%2Fmy.ebay.com%2Fws%2FeBayISAPI.dll%3FMyEbay%26CurrentPage%3DMyeBayMyAccounts& &link=1& backToEbayRu=https%3A%2F%2Fpayments.ebay.com%2Fws%2FeBayISAPI.dll%3FTrinityDualAuthLink& guest=1
I tried to color-code the URL – it’s URL-encoded, but you can spot the point, I believe. This call defines the “return URLs” to which you should be redirected back after the PayPal authentication. If you’ve ever coded / pen tested / used a site which was integrated with another one, you’ve seen such things.
What’s the problem then? Well, PayPal fails to propagate these URLs (via the 2FA pages). I’m not sure whether the 2FA is the problem here, because I couldn’t turn 2FA off (!!) for testing purposes. This option just disappeared from the security settings!! Anyway.. what happens is that during the PayPal login process it starts using its own “returnUri” parameter. This parameter of course doesn’t point back to eBay. So here is the problem:
- You click on the “Link my PayPal” link (eBay)
- You are redirected to the PayPal login page (PayPal)
- You enter your username and password (PayPal)
- You request a secondary code to your phone (PayPal)
- You enter the code (PayPal)
- You are redirected back to the login page (PayPal)
You never hit eBay again!
Once I saw this flow, the solution was obvious. All I needed to do was to “manually redirect” myself back to eBay by entering one of the return URLs to my browser’s address bar (after some decoding of course). Then eBay greeted and told me I’m just one step away from finishing the process. So I just clicked on a button and it’s over.
What bugs me is that turning on a security feature (2FA) breaks the eBay and PayPal integration. I don’t know if it’s just me or others might be affected as well? Maybe there was some other circumstances that ended up in this mess. I will never understand these IT things I believe 🙂