Privacy concerns over gaps in eBay crypto

HTTP still being used

By John Leyden


eBay uses HTTPS on its most critical pages, such as those where payment or address information is entered, but a lack of encryption on several sensitive pages still poses a concern for the privacy conscious.

Many pages on the site, which require user input or contain their personal info, are not HTTPS encrypted, according to security experts. The online auction house acknowledges the point but said it was in the process of making encryption ubiquitous across the site.

More specifically eBay does not currently use HTTPS on the My eBay dashboard, nor on business-to-customer message pages. A VPN can mitigate the risks that arise from the lack of HTTPS on these pages.

El Reg learnt of the issue from Mark Richards, a former eBay contractor who worked in Gumtree (eBay classifieds group) in the UK turned whistleblower, who is campaigning on the issue. Richards has documented his concerns in a series of blog posts (here and here) as well as unsuccessfully attempting to get action by approaching the internet giant through social media (here and here).

"eBay has been told repeatedly by customers that they are sending confidential information over HTTP," Richards told El Reg.

Two independent security experts have verified Richards' concerns.

In a statement, eBay said it was in the process of expanding the use of encryption across its site. It said secondary controls it had in place would help protect users in the meantime.

eBay protects all pages that involve sensitive information with authentication and authorization controls. All critical flows that involve sensitive data are delivered over SSL (HTTPS).

This incorporates the login flows but also further critical flows like registration, payment and critical updates to users' profiles. Additionally, eBay has deployed a myriad of proprietary technologies to detect and prevent attempts of account misuse.

These technologies run behind the scenes to protect our users' accounts against any illegitimate access. We are continuously investing at large scale into the security of our site. This includes the further development of our technologies to identify and prevent attempts of account misuse, as well as the expansion of SSL usage on our site, which is a key priority for eBay.

As things stand consumers need to be careful when accessing their account activity, personal information and stored messages. When customers send and receive messages from sellers, for example, their communications are not sent over a private channel.

A user would log into eBay using their details over a secure connection but once they navigate to "My eBay" part of the site they are not longer connected using an encrypted connection.

"The worrying things for me is that anyone can intercept all of my buying habits or even intercept my communications to a seller," a third-party software development expert told El Reg.

A hacker on the same network could intercept and read messages sent through eBay. The same class of trickery could be used to send messages ostensibly from a user's account, technology comparison site warns.

The tech site goes on to suggest that eBay's lack of encryption on these pages could be insufficient to meet data privacy standards, including the upcoming GDPR.

El Reg expects eBay to comply with relevant data protection regulations as part of its normal business process.

Complaints have raised alleging that eBay fails to meet current data protection regulations. El Reg understands these complaints are still under consideration and should therefore be treated as unconfirmed. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Web browsers sharpen knives for TLS 1.0, 1.1, tell protocols to dig their own graves for 2019

IE, Edge, Safari, Firefox, Chrome, all planning to deprecate lousy old versions by 2020

SEAL up your data just like Microsoft: Redmond open-sources 'simple' homomorphic encryption blueprints

How to work on encrypted data without having to decrypt it first

Huawei enterprise comms kit has a TLS crypto bug

You don't want insecure kit from a vendor the Pentagon hates, do you?

Warning: Malware, rogue users can spy on some apps' HTTPS crypto – by whipping them with a CAT o' nine TLS

Malicious code can spy on OpenSSL, Apple CoreTLS, etc

It's official: TLS 1.3 approved as standard while spies weep

Now all you lot have to actually implement it

PayPal reminds users: TLS 1.2 and HTTP/1.1 are no longer optional

Insecure connections will break after June 30th. And it's acquired Hyperwallet, too

TLS proxies? Nah. Truthfully Less Secure 'n' poxy, say Canadian infosec researchers

You thought you were buying better security, right?

Facebook cracks opens its bottle of Fizz – a carbonated TLS 1.3 lib

Crypto-code unleashed to inflict security, performance and stability on devs

You like HTTPS. We like HTTPS. Except when a quirk of TLS can smash someone's web privacy

Analysis Never-closed browsers and persistent session tickets make tracking a doddle

It's time for TLS 1.0 and 1.1 to die (die, die)

IETF floats formal deprecation suggestion, even for failback