Our business Paypal account had some unusual login attempts on it, which triggered us needing 2FA to login each time.
I found a pretty easy way to bypass this, and reported the issue to Paypal on HackerOne with a video and description on how to circumvent it.
I was told that “the reported behavior is intended” and they are closing the issue as informative.
A week on and the issue appears to be fixed.
Granted the way I found to bypass it was rather trivial, and I’m no expert. Am I right in thinking this is a legitimate security issue, and they are wrong to state it’s intended behaviour?