Feeds

eBay security conspiracy catches on with readers

Backdoor man

  • alert
  • submit to reddit

High performance access to file storage

Letters Our story reporting the abundance of people who believe there is a secret backdoor in eBay's network appeared to touch a nerve. Please continue to send tips to your reporter at the link above.

Very interested to read your article, Dan. My eBay account has been hacked twice. Luckily both times eBay picked up on it quickly and let me know but that was only because the hacker went pretty crazy posting auctions.

However contacting them to express my concern I was rather insulted to receive an email back explaining how I must have been careless enough to give out my details to a phisher. I've been programming web systems for 9 years and consider myself pretty switched on to this kind of threat, so certainly haven't given out my details to anyone. Really pleased you've brought this into the open, let's hope eBay do something about it.

Best Regards,

Phil


I had exactly this happen to my ebay auction on Saturday. I was selling my car - quite a rare one so relatively highly valued, checked back to see how the bidding was going and found that it had been hacked, a fake buy it now price and button inserted and a message from the gmail account in question (I still have the address) telling people that they could now buy the car for £5,000. I don't reply to odd emails, nor do I ever give my details out, but they somehow got so deep into my account they even changed my date of birth. Ebay never confirmed how it happened, they just pulled my listing. They did agree that my account had been hacked, but just made me go through the stupid "safety tutorial" before they would let me back into my account.

I'm amazed that that many people fell foul to a phishing email. I'd changed my ebay password only five days before hand (as I'd forgotten my old one) and running a television post production facility I invest a lot of time and energy in security - I'm not the kind of guy to click on random emails.


The picture of the "Contivity VPN client" makes it look like the hacker hasn't so much "developed ... a sophisticated tool that reads confidential information residing on eBay's internal network", as "stolen one of their employees' RSA Secur-ID (or similar) keyfobs". That's what the number in the "token" field represents, and it means he's logging into their internal LAN - from which point it probably becomes trivial to gain access to the account data, management tools etc., internal security never being as good as it should be in corporate networks.

The interesting question then becomes "Why doesn't eBay deactivate lost or stolen keyfobs"?

cheers,

DaveK


So let me get this straight - some kid gets somebody to write a Firefox plugin for him that steals eBay login credentials, he gets lucky and get a forum moderator account, and uses that to modify hundreds (?) of auctions (because obviously forum moderators have that kind of power...) You don't think it likely that he used the *other* login credentials he stole to modify the auctions? No....too obvious. ^^

It looks like the hacker gained VPN access to the internal eBay network. That, along with the fact that they don't stored hashed passwords but plain text ones is a very likely explanation of what is happening. So it's just plain old fashioned hacking which leads to disastrous results because eBay's bad security design.

On a side note, I don't trust any site which emails you a confirmation link along with the username and password. First of all, they should never know your password textually (just retrieve the form and the same script stores the hash) and second of all, this is a goddamn email. With all https, ssl etc. emails are still clear text and can be intercepted relatively easily.


Thanks for the Bape Hoody article on The Register. I too was scammed at the back end of 2006 with Bape Hoodies for sale on my account. Ebay suspended my account, threatened to terminate my account if I did it again and treated me like some sort of criminal. It's nice to know that I probably wasn't phished but disturbing that ebay may have such holes in its security.

I have emailed ebay and asked them for a statement on this matter - I'll forward their reply if you wish

Thanks again

Jim


I read about ebay hijacking on a message board recently. One poster there pointed out that if you are logged into ebay from two separate machines and change the password on one, then the other machine is still logged in even though the details have changed. You can start and edit auctions from the second machine - thus the observed behaviour could happen if a hijacker was still logged whilst the password was changed.

®

High performance access to file storage

More from The Register

next story
Forget the beach 'n' boardwalk, check out the Santa Cruz STEVE JOBS FOUNTAIN
Reg reader snaps shot of touching tribute to Apple icon
Happy 40th Playmobil: Reg looks back at small, rude world of our favourite tiny toys
Little men straddle LOHAN, attend tiny G20 Summit... ah, sweet memories...
Oz bank in comedy Heartbleed blog FAIL
Bank: 'We are now safely patched.' Customers: 'You were using OpenSSL?'
Lego is the TOOL OF SATAN, thunders Polish priest
New minifigs like Monster Fighters are turning kids to the dark side
Dark SITH LORD 'Darth Vader' joins battle to rule, er, Ukraine
Only I can 'make an empire out of a republic' intones presidential candidate
Chinese company counters pollution by importing fresh air
Citizens line up for bags of that sweet, sweet mountain air
Google asks April Fools: Want a job? Be our 'Pokemon Master'
Mountain View is prankin' like it's 1999...
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.