Original URL: http://www.theregister.co.uk/2007/02/22/conspiracy_letters/

eBay security conspiracy catches on with readers

Backdoor man

By Dan Goodin

Posted in Letters, 22nd February 2007 02:52 GMT

Letters Our story reporting the abundance of people who believe there is a secret backdoor in eBay's network appeared to touch a nerve. Please continue to send tips to your reporter at the link above.

Very interested to read your article, Dan. My eBay account has been hacked twice. Luckily both times eBay picked up on it quickly and let me know but that was only because the hacker went pretty crazy posting auctions.

However contacting them to express my concern I was rather insulted to receive an email back explaining how I must have been careless enough to give out my details to a phisher. I've been programming web systems for 9 years and consider myself pretty switched on to this kind of threat, so certainly haven't given out my details to anyone. Really pleased you've brought this into the open, let's hope eBay do something about it.

Best Regards,

Phil


I had exactly this happen to my ebay auction on Saturday. I was selling my car - quite a rare one so relatively highly valued, checked back to see how the bidding was going and found that it had been hacked, a fake buy it now price and button inserted and a message from the gmail account in question (I still have the address) telling people that they could now buy the car for £5,000. I don't reply to odd emails, nor do I ever give my details out, but they somehow got so deep into my account they even changed my date of birth. Ebay never confirmed how it happened, they just pulled my listing. They did agree that my account had been hacked, but just made me go through the stupid "safety tutorial" before they would let me back into my account.

I'm amazed that that many people fell foul to a phishing email. I'd changed my ebay password only five days before hand (as I'd forgotten my old one) and running a television post production facility I invest a lot of time and energy in security - I'm not the kind of guy to click on random emails.


The picture of the "Contivity VPN client" makes it look like the hacker hasn't so much "developed ... a sophisticated tool that reads confidential information residing on eBay's internal network", as "stolen one of their employees' RSA Secur-ID (or similar) keyfobs". That's what the number in the "token" field represents, and it means he's logging into their internal LAN - from which point it probably becomes trivial to gain access to the account data, management tools etc., internal security never being as good as it should be in corporate networks.

The interesting question then becomes "Why doesn't eBay deactivate lost or stolen keyfobs"?

cheers,

DaveK


So let me get this straight - some kid gets somebody to write a Firefox plugin for him that steals eBay login credentials, he gets lucky and get a forum moderator account, and uses that to modify hundreds (?) of auctions (because obviously forum moderators have that kind of power...) You don't think it likely that he used the *other* login credentials he stole to modify the auctions? No....too obvious. ^^

It looks like the hacker gained VPN access to the internal eBay network. That, along with the fact that they don't stored hashed passwords but plain text ones is a very likely explanation of what is happening. So it's just plain old fashioned hacking which leads to disastrous results because eBay's bad security design.

On a side note, I don't trust any site which emails you a confirmation link along with the username and password. First of all, they should never know your password textually (just retrieve the form and the same script stores the hash) and second of all, this is a goddamn email. With all https, ssl etc. emails are still clear text and can be intercepted relatively easily.


Thanks for the Bape Hoody article on The Register. I too was scammed at the back end of 2006 with Bape Hoodies for sale on my account. Ebay suspended my account, threatened to terminate my account if I did it again and treated me like some sort of criminal. It's nice to know that I probably wasn't phished but disturbing that ebay may have such holes in its security.

I have emailed ebay and asked them for a statement on this matter - I'll forward their reply if you wish

Thanks again

Jim


I read about ebay hijacking on a message board recently. One poster there pointed out that if you are logged into ebay from two separate machines and change the password on one, then the other machine is still logged in even though the details have changed. You can start and edit auctions from the second machine - thus the observed behaviour could happen if a hijacker was still logged whilst the password was changed.

®