Feeds

eBay security conspiracy catches on with readers

Backdoor man

  • alert
  • submit to reddit

The Power of One eBook: Top reasons to choose HP BladeSystem

Letters Our story reporting the abundance of people who believe there is a secret backdoor in eBay's network appeared to touch a nerve. Please continue to send tips to your reporter at the link above.

Very interested to read your article, Dan. My eBay account has been hacked twice. Luckily both times eBay picked up on it quickly and let me know but that was only because the hacker went pretty crazy posting auctions.

However contacting them to express my concern I was rather insulted to receive an email back explaining how I must have been careless enough to give out my details to a phisher. I've been programming web systems for 9 years and consider myself pretty switched on to this kind of threat, so certainly haven't given out my details to anyone. Really pleased you've brought this into the open, let's hope eBay do something about it.

Best Regards,

Phil


I had exactly this happen to my ebay auction on Saturday. I was selling my car - quite a rare one so relatively highly valued, checked back to see how the bidding was going and found that it had been hacked, a fake buy it now price and button inserted and a message from the gmail account in question (I still have the address) telling people that they could now buy the car for £5,000. I don't reply to odd emails, nor do I ever give my details out, but they somehow got so deep into my account they even changed my date of birth. Ebay never confirmed how it happened, they just pulled my listing. They did agree that my account had been hacked, but just made me go through the stupid "safety tutorial" before they would let me back into my account.

I'm amazed that that many people fell foul to a phishing email. I'd changed my ebay password only five days before hand (as I'd forgotten my old one) and running a television post production facility I invest a lot of time and energy in security - I'm not the kind of guy to click on random emails.


The picture of the "Contivity VPN client" makes it look like the hacker hasn't so much "developed ... a sophisticated tool that reads confidential information residing on eBay's internal network", as "stolen one of their employees' RSA Secur-ID (or similar) keyfobs". That's what the number in the "token" field represents, and it means he's logging into their internal LAN - from which point it probably becomes trivial to gain access to the account data, management tools etc., internal security never being as good as it should be in corporate networks.

The interesting question then becomes "Why doesn't eBay deactivate lost or stolen keyfobs"?

cheers,

DaveK


So let me get this straight - some kid gets somebody to write a Firefox plugin for him that steals eBay login credentials, he gets lucky and get a forum moderator account, and uses that to modify hundreds (?) of auctions (because obviously forum moderators have that kind of power...) You don't think it likely that he used the *other* login credentials he stole to modify the auctions? No....too obvious. ^^

It looks like the hacker gained VPN access to the internal eBay network. That, along with the fact that they don't stored hashed passwords but plain text ones is a very likely explanation of what is happening. So it's just plain old fashioned hacking which leads to disastrous results because eBay's bad security design.

On a side note, I don't trust any site which emails you a confirmation link along with the username and password. First of all, they should never know your password textually (just retrieve the form and the same script stores the hash) and second of all, this is a goddamn email. With all https, ssl etc. emails are still clear text and can be intercepted relatively easily.


Thanks for the Bape Hoody article on The Register. I too was scammed at the back end of 2006 with Bape Hoodies for sale on my account. Ebay suspended my account, threatened to terminate my account if I did it again and treated me like some sort of criminal. It's nice to know that I probably wasn't phished but disturbing that ebay may have such holes in its security.

I have emailed ebay and asked them for a statement on this matter - I'll forward their reply if you wish

Thanks again

Jim


I read about ebay hijacking on a message board recently. One poster there pointed out that if you are logged into ebay from two separate machines and change the password on one, then the other machine is still logged in even though the details have changed. You can start and edit auctions from the second machine - thus the observed behaviour could happen if a hijacker was still logged whilst the password was changed.

®

Reducing security risks from open source software

More from The Register

next story
Motorist 'thought car had caught fire' as Adele track came on stereo
'FIRE' caption on dashboard prompts dunderheaded hard shoulder halt
Delaware pair nabbed for getting saucy atop Mexican eatery
Burrito meets soft taco in alleged rooftop romp outrage
Japanese artist cuffed for disseminating 3D ladyparts files
Printable genitalia fall foul of 'obscene material' laws
Carlos: Slim your working week to just three days of toil
'Midas World' vision suggests you retire later, watch more tellie and buy more stuff
Brit Rockall adventurer poised to quit islet
Occupation records broken, champagne corks popped
Accused! Yahoo! exec! SUES! her! accuser!, says! sex! harassment! never! happened!
Allegations were for 'financial gain', countersuit claims
Yahoo! Japan! launches! service! for! the! dead!
If you're reading this email, I am no longer alive
Plucky Rockall podule man back on (proper) dry land
Bold, barmy Brit adventurer Nick Hancock escapes North Atlantic islet
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.