Feeds

eBay security conspiracy catches on with readers

Backdoor man

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

Letters Our story reporting the abundance of people who believe there is a secret backdoor in eBay's network appeared to touch a nerve. Please continue to send tips to your reporter at the link above.

Very interested to read your article, Dan. My eBay account has been hacked twice. Luckily both times eBay picked up on it quickly and let me know but that was only because the hacker went pretty crazy posting auctions.

However contacting them to express my concern I was rather insulted to receive an email back explaining how I must have been careless enough to give out my details to a phisher. I've been programming web systems for 9 years and consider myself pretty switched on to this kind of threat, so certainly haven't given out my details to anyone. Really pleased you've brought this into the open, let's hope eBay do something about it.

Best Regards,

Phil


I had exactly this happen to my ebay auction on Saturday. I was selling my car - quite a rare one so relatively highly valued, checked back to see how the bidding was going and found that it had been hacked, a fake buy it now price and button inserted and a message from the gmail account in question (I still have the address) telling people that they could now buy the car for £5,000. I don't reply to odd emails, nor do I ever give my details out, but they somehow got so deep into my account they even changed my date of birth. Ebay never confirmed how it happened, they just pulled my listing. They did agree that my account had been hacked, but just made me go through the stupid "safety tutorial" before they would let me back into my account.

I'm amazed that that many people fell foul to a phishing email. I'd changed my ebay password only five days before hand (as I'd forgotten my old one) and running a television post production facility I invest a lot of time and energy in security - I'm not the kind of guy to click on random emails.


The picture of the "Contivity VPN client" makes it look like the hacker hasn't so much "developed ... a sophisticated tool that reads confidential information residing on eBay's internal network", as "stolen one of their employees' RSA Secur-ID (or similar) keyfobs". That's what the number in the "token" field represents, and it means he's logging into their internal LAN - from which point it probably becomes trivial to gain access to the account data, management tools etc., internal security never being as good as it should be in corporate networks.

The interesting question then becomes "Why doesn't eBay deactivate lost or stolen keyfobs"?

cheers,

DaveK


So let me get this straight - some kid gets somebody to write a Firefox plugin for him that steals eBay login credentials, he gets lucky and get a forum moderator account, and uses that to modify hundreds (?) of auctions (because obviously forum moderators have that kind of power...) You don't think it likely that he used the *other* login credentials he stole to modify the auctions? No....too obvious. ^^

It looks like the hacker gained VPN access to the internal eBay network. That, along with the fact that they don't stored hashed passwords but plain text ones is a very likely explanation of what is happening. So it's just plain old fashioned hacking which leads to disastrous results because eBay's bad security design.

On a side note, I don't trust any site which emails you a confirmation link along with the username and password. First of all, they should never know your password textually (just retrieve the form and the same script stores the hash) and second of all, this is a goddamn email. With all https, ssl etc. emails are still clear text and can be intercepted relatively easily.


Thanks for the Bape Hoody article on The Register. I too was scammed at the back end of 2006 with Bape Hoodies for sale on my account. Ebay suspended my account, threatened to terminate my account if I did it again and treated me like some sort of criminal. It's nice to know that I probably wasn't phished but disturbing that ebay may have such holes in its security.

I have emailed ebay and asked them for a statement on this matter - I'll forward their reply if you wish

Thanks again

Jim


I read about ebay hijacking on a message board recently. One poster there pointed out that if you are logged into ebay from two separate machines and change the password on one, then the other machine is still logged in even though the details have changed. You can start and edit auctions from the second machine - thus the observed behaviour could happen if a hijacker was still logged whilst the password was changed.

®

Security for virtualized datacentres

More from The Register

next story
Facebook's Zuckerberg in EBOLA VIRUS FIGHT: Billionaire battles bug
US Centers for Disease Control and Prevention contacted as site supremo coughs up
Space exploration is just so lame. NEW APPS are mankind's future
We feel obliged to point out the headline statement is total, utter cobblers
Win a year’s supply of chocolate (no tech knowledge required)
Over £200 worth of the good stuff up for grabs
Down-under record: Australian gets $140k for pussy
'Tiffany' closes deal - 'it's more common to offer your wife', says agent
Internet finally ready to replace answering machine cassette tape
It's a simple message and I'm leaving out the whistles and bells
Swiss wildlife park serves up furry residents to visitors
'It's ecological' says spokesman, now how would you like your Bambi done?
The iPAD launch BEFORE it happened: SPECULATIVE GUFF ahead of actual event
Nerve-shattering run-up to the pre-planned known event
STONER SHEEP get the MUNCHIES after feasting on £4k worth of cannabis plants
Baaaaaa! Fanny's Farm's woolly flock is high, maaaaaan
FedEx helps deliver THOUSANDS of spam messages DIRECT to its Blighty customers
Don't worry Wilson, I'll do all the paddling. You just hang on
Red Bull does NOT give you wings, $13.5m lawsuit says so
Website letting consumers claim $10 cash back crashes after stampede
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.