Feeds

eBay security conspiracy catches on with readers

Backdoor man

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Letters Our story reporting the abundance of people who believe there is a secret backdoor in eBay's network appeared to touch a nerve. Please continue to send tips to your reporter at the link above.

Very interested to read your article, Dan. My eBay account has been hacked twice. Luckily both times eBay picked up on it quickly and let me know but that was only because the hacker went pretty crazy posting auctions.

However contacting them to express my concern I was rather insulted to receive an email back explaining how I must have been careless enough to give out my details to a phisher. I've been programming web systems for 9 years and consider myself pretty switched on to this kind of threat, so certainly haven't given out my details to anyone. Really pleased you've brought this into the open, let's hope eBay do something about it.

Best Regards,

Phil


I had exactly this happen to my ebay auction on Saturday. I was selling my car - quite a rare one so relatively highly valued, checked back to see how the bidding was going and found that it had been hacked, a fake buy it now price and button inserted and a message from the gmail account in question (I still have the address) telling people that they could now buy the car for £5,000. I don't reply to odd emails, nor do I ever give my details out, but they somehow got so deep into my account they even changed my date of birth. Ebay never confirmed how it happened, they just pulled my listing. They did agree that my account had been hacked, but just made me go through the stupid "safety tutorial" before they would let me back into my account.

I'm amazed that that many people fell foul to a phishing email. I'd changed my ebay password only five days before hand (as I'd forgotten my old one) and running a television post production facility I invest a lot of time and energy in security - I'm not the kind of guy to click on random emails.


The picture of the "Contivity VPN client" makes it look like the hacker hasn't so much "developed ... a sophisticated tool that reads confidential information residing on eBay's internal network", as "stolen one of their employees' RSA Secur-ID (or similar) keyfobs". That's what the number in the "token" field represents, and it means he's logging into their internal LAN - from which point it probably becomes trivial to gain access to the account data, management tools etc., internal security never being as good as it should be in corporate networks.

The interesting question then becomes "Why doesn't eBay deactivate lost or stolen keyfobs"?

cheers,

DaveK


So let me get this straight - some kid gets somebody to write a Firefox plugin for him that steals eBay login credentials, he gets lucky and get a forum moderator account, and uses that to modify hundreds (?) of auctions (because obviously forum moderators have that kind of power...) You don't think it likely that he used the *other* login credentials he stole to modify the auctions? No....too obvious. ^^

It looks like the hacker gained VPN access to the internal eBay network. That, along with the fact that they don't stored hashed passwords but plain text ones is a very likely explanation of what is happening. So it's just plain old fashioned hacking which leads to disastrous results because eBay's bad security design.

On a side note, I don't trust any site which emails you a confirmation link along with the username and password. First of all, they should never know your password textually (just retrieve the form and the same script stores the hash) and second of all, this is a goddamn email. With all https, ssl etc. emails are still clear text and can be intercepted relatively easily.


Thanks for the Bape Hoody article on The Register. I too was scammed at the back end of 2006 with Bape Hoodies for sale on my account. Ebay suspended my account, threatened to terminate my account if I did it again and treated me like some sort of criminal. It's nice to know that I probably wasn't phished but disturbing that ebay may have such holes in its security.

I have emailed ebay and asked them for a statement on this matter - I'll forward their reply if you wish

Thanks again

Jim


I read about ebay hijacking on a message board recently. One poster there pointed out that if you are logged into ebay from two separate machines and change the password on one, then the other machine is still logged in even though the details have changed. You can start and edit auctions from the second machine - thus the observed behaviour could happen if a hijacker was still logged whilst the password was changed.

®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Win a year’s supply of chocolate (no tech knowledge required)
Over £200 worth of the good stuff up for grabs
Facebook's Zuckerberg in EBOLA VIRUS FIGHT: Billionaire battles bug
US Centers for Disease Control and Prevention contacted as site supremo coughs up
Red Bull does NOT give you wings, $13.5m lawsuit says so
Website letting consumers claim $10 cash back crashes after stampede
Down-under record: Australian gets $140k for pussy
'Tiffany' closes deal - 'it's more common to offer your wife', says agent
Internet finally ready to replace answering machine cassette tape
It's a simple message and I'm leaving out the whistles and bells
Swiss wildlife park serves up furry residents to visitors
'It's ecological' says spokesman, now how would you like your Bambi done?
The iPAD launch BEFORE it happened: SPECULATIVE GUFF ahead of actual event
Nerve-shattering run-up to the pre-planned known event
Space exploration is just so lame. NEW APPS are mankind's future
We feel obliged to point out the headline statement is total, utter cobblers
STONER SHEEP get the MUNCHIES after feasting on £4k worth of cannabis plants
Baaaaaa! Fanny's Farm's woolly flock is high, maaaaaan
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.