Privacy concerns over gaps in eBay crypto
HTTP still being used
eBay uses HTTPS on its most critical pages, such as those where payment or address information is entered, but a lack of encryption on several sensitive pages still poses a concern for the privacy conscious.
Many pages on the site, which require user input or contain their personal info, are not HTTPS encrypted, according to security experts. The online auction house acknowledges the point but said it was in the process of making encryption ubiquitous across the site.
More specifically eBay does not currently use HTTPS on the My eBay dashboard, nor on business-to-customer message pages. A VPN can mitigate the risks that arise from the lack of HTTPS on these pages.
El Reg learnt of the issue from Mark Richards, a former eBay contractor who worked in Gumtree (eBay classifieds group) in the UK turned whistleblower, who is campaigning on the issue. Richards has documented his concerns in a series of blog posts (here and here) as well as unsuccessfully attempting to get action by approaching the internet giant through social media (here and here).
"eBay has been told repeatedly by customers that they are sending confidential information over HTTP," Richards told El Reg.
Two independent security experts have verified Richards' concerns.
In a statement, eBay said it was in the process of expanding the use of encryption across its site. It said secondary controls it had in place would help protect users in the meantime.
eBay protects all pages that involve sensitive information with authentication and authorization controls. All critical flows that involve sensitive data are delivered over SSL (HTTPS).
This incorporates the login flows but also further critical flows like registration, payment and critical updates to users' profiles. Additionally, eBay has deployed a myriad of proprietary technologies to detect and prevent attempts of account misuse.
These technologies run behind the scenes to protect our users' accounts against any illegitimate access. We are continuously investing at large scale into the security of our site. This includes the further development of our technologies to identify and prevent attempts of account misuse, as well as the expansion of SSL usage on our site, which is a key priority for eBay.
As things stand consumers need to be careful when accessing their account activity, personal information and stored messages. When customers send and receive messages from sellers, for example, their communications are not sent over a private channel.
A user would log into eBay using their details over a secure connection but once they navigate to "My eBay" part of the site they are not longer connected using an encrypted connection.
"The worrying things for me is that anyone can intercept all of my buying habits or even intercept my communications to a seller," a third-party software development expert told El Reg.
A hacker on the same network could intercept and read messages sent through eBay. The same class of trickery could be used to send messages ostensibly from a user's account, technology comparison site Comparitech.com warns.
The tech site goes on to suggest that eBay's lack of encryption on these pages could be insufficient to meet data privacy standards, including the upcoming GDPR.
El Reg expects eBay to comply with relevant data protection regulations as part of its normal business process.
Complaints have raised alleging that eBay fails to meet current data protection regulations. El Reg understands these complaints are still under consideration and should therefore be treated as unconfirmed. ®