Privacy concerns over gaps in eBay crypto

HTTP still being used

By John Leyden

Posted in Security, 22nd February 2017 16:26 GMT

eBay uses HTTPS on its most critical pages, such as those where payment or address information is entered, but a lack of encryption on several sensitive pages still poses a concern for the privacy conscious.

Many pages on the site, which require user input or contain their personal info, are not HTTPS encrypted, according to security experts. The online auction house acknowledges the point but said it was in the process of making encryption ubiquitous across the site.

More specifically eBay does not currently use HTTPS on the My eBay dashboard, nor on business-to-customer message pages. A VPN can mitigate the risks that arise from the lack of HTTPS on these pages.

El Reg learnt of the issue from Mark Richards, a former eBay contractor who worked in Gumtree (eBay classifieds group) in the UK turned whistleblower, who is campaigning on the issue. Richards has documented his concerns in a series of blog posts (here and here) as well as unsuccessfully attempting to get action by approaching the internet giant through social media (here and here).

"eBay has been told repeatedly by customers that they are sending confidential information over HTTP," Richards told El Reg.

Two independent security experts have verified Richards' concerns.

In a statement, eBay said it was in the process of expanding the use of encryption across its site. It said secondary controls it had in place would help protect users in the meantime.

eBay protects all pages that involve sensitive information with authentication and authorization controls. All critical flows that involve sensitive data are delivered over SSL (HTTPS).

This incorporates the login flows but also further critical flows like registration, payment and critical updates to users' profiles. Additionally, eBay has deployed a myriad of proprietary technologies to detect and prevent attempts of account misuse.

These technologies run behind the scenes to protect our users' accounts against any illegitimate access. We are continuously investing at large scale into the security of our site. This includes the further development of our technologies to identify and prevent attempts of account misuse, as well as the expansion of SSL usage on our site, which is a key priority for eBay.

As things stand consumers need to be careful when accessing their account activity, personal information and stored messages. When customers send and receive messages from sellers, for example, their communications are not sent over a private channel.

A user would log into eBay using their details over a secure connection but once they navigate to "My eBay" part of the site they are not longer connected using an encrypted connection.

"The worrying things for me is that anyone can intercept all of my buying habits or even intercept my communications to a seller," a third-party software development expert told El Reg.

A hacker on the same network could intercept and read messages sent through eBay. The same class of trickery could be used to send messages ostensibly from a user's account, technology comparison site Comparitech.com warns.

The tech site goes on to suggest that eBay's lack of encryption on these pages could be insufficient to meet data privacy standards, including the upcoming GDPR.

El Reg expects eBay to comply with relevant data protection regulations as part of its normal business process.

Complaints have raised alleging that eBay fails to meet current data protection regulations. El Reg understands these complaints are still under consideration and should therefore be treated as unconfirmed. ®

Sign up to our NewsletterGet IT in your inbox daily

16 Comments

More from The Register

PayPal reminds users: TLS 1.2 and HTTP/1.1 are no longer optional

Insecure connections will break after June 30th. And it's acquired Hyperwallet, too

It's time for TLS 1.0 and 1.1 to die (die, die)

IETF floats formal deprecation suggestion, even for failback

OpenSSL alpha adds TLS 1.3 support

Shambling corpse of ancient, shoddy, buggy, crypto shoved towards the grave

World celebrates, cyber-snoops cry as TLS 1.3 internet crypto approved

Forward-secrecy protocol comes with the 28th draft

Microsoft Dynamics 365 sandbox leaked TLS certificate's private parts

Hey Redmond, is this your secret key?

ARM’s embedded TLS library fixes man-in-the-middle fiddle

IoT security helper is vulnerable to attacks by malicious peers

IBM Cloud turns TLS 1.0 off and then turns it on again

Big Blue admits it gave customers too little notice of the change and broke their code

Hurrah! TLS 1.3 is here. Now to implement it and put it into software

Which won't be terrifyingly hard: it's pretty good at making old kit like the way it moves

Facebook helping devs keep up with TLS certificates

Crawling transparency logs, so you don't need to

Popular RADIUS server exploitable with TLS session caching

'Inner authentication' has bad karma, allows strangers to log in without credentials