Privacy concerns over gaps in eBay crypto

HTTP still being used

By John Leyden


eBay uses HTTPS on its most critical pages, such as those where payment or address information is entered, but a lack of encryption on several sensitive pages still poses a concern for the privacy conscious.

Many pages on the site, which require user input or contain their personal info, are not HTTPS encrypted, according to security experts. The online auction house acknowledges the point but said it was in the process of making encryption ubiquitous across the site.

More specifically eBay does not currently use HTTPS on the My eBay dashboard, nor on business-to-customer message pages. A VPN can mitigate the risks that arise from the lack of HTTPS on these pages.

El Reg learnt of the issue from Mark Richards, a former eBay contractor who worked in Gumtree (eBay classifieds group) in the UK turned whistleblower, who is campaigning on the issue. Richards has documented his concerns in a series of blog posts (here and here) as well as unsuccessfully attempting to get action by approaching the internet giant through social media (here and here).

"eBay has been told repeatedly by customers that they are sending confidential information over HTTP," Richards told El Reg.

Two independent security experts have verified Richards' concerns.

In a statement, eBay said it was in the process of expanding the use of encryption across its site. It said secondary controls it had in place would help protect users in the meantime.

eBay protects all pages that involve sensitive information with authentication and authorization controls. All critical flows that involve sensitive data are delivered over SSL (HTTPS).

This incorporates the login flows but also further critical flows like registration, payment and critical updates to users' profiles. Additionally, eBay has deployed a myriad of proprietary technologies to detect and prevent attempts of account misuse.

These technologies run behind the scenes to protect our users' accounts against any illegitimate access. We are continuously investing at large scale into the security of our site. This includes the further development of our technologies to identify and prevent attempts of account misuse, as well as the expansion of SSL usage on our site, which is a key priority for eBay.

As things stand consumers need to be careful when accessing their account activity, personal information and stored messages. When customers send and receive messages from sellers, for example, their communications are not sent over a private channel.

A user would log into eBay using their details over a secure connection but once they navigate to "My eBay" part of the site they are not longer connected using an encrypted connection.

"The worrying things for me is that anyone can intercept all of my buying habits or even intercept my communications to a seller," a third-party software development expert told El Reg.

A hacker on the same network could intercept and read messages sent through eBay. The same class of trickery could be used to send messages ostensibly from a user's account, technology comparison site warns.

The tech site goes on to suggest that eBay's lack of encryption on these pages could be insufficient to meet data privacy standards, including the upcoming GDPR.

El Reg expects eBay to comply with relevant data protection regulations as part of its normal business process.

Complaints have raised alleging that eBay fails to meet current data protection regulations. El Reg understands these complaints are still under consideration and should therefore be treated as unconfirmed. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Huawei enterprise comms kit has a TLS crypto bug

You don't want insecure kit from a vendor the Pentagon hates, do you?

It's official: TLS 1.3 approved as standard while spies weep

Now all you lot have to actually implement it

PayPal reminds users: TLS 1.2 and HTTP/1.1 are no longer optional

Insecure connections will break after June 30th. And it's acquired Hyperwallet, too

Facebook cracks opens its bottle of Fizz – a carbonated TLS 1.3 lib

Crypto-code unleashed to inflict security, performance and stability on devs

It's time for TLS 1.0 and 1.1 to die (die, die)

IETF floats formal deprecation suggestion, even for failback

OpenSSL alpha adds TLS 1.3 support

Shambling corpse of ancient, shoddy, buggy, crypto shoved towards the grave

TLS developers should ditch 'pseudo constant time' crypto processing

Fixes for Lucky 13-type bugs could still be vulnerable

World celebrates, cyber-snoops cry as TLS 1.3 internet crypto approved

Forward-secrecy protocol comes with the 28th draft

IBM Cloud turns TLS 1.0 off and then turns it on again

Big Blue admits it gave customers too little notice of the change and broke their code

ARM’s embedded TLS library fixes man-in-the-middle fiddle

IoT security helper is vulnerable to attacks by malicious peers