Online business Toolkit

EBay closes password option to plug hole

Tags:
Ebay Fraud

Troy Wolverton CNet

Published: 03 Apr 2002 10:56 BST

EBay disabled a password function on its site Tuesday to close a "very serious" security hole that could allow hackers access to users' accounts, a spokesman said.

EBay disabled the "Change Your Password" function in an effort to close the vulnerability, eBay spokesman Kevin Pursglove said Tuesday. That feature will remain disabled until eBay can put a fix in place, he said.

"We don't see (the vulnerability) existing in other features," and no customers have complained, Pursglove said. "From what we can tell right now, we have not seen anybody's account compromised in any way."

Greg Shipley, chief technology officer of security consulting firm Neohapsis, blamed the problem on a "design failure" in eBay's authentication system.

"It's just a bad design. It's kind of disappointing coming from a company the size of eBay," Shipley said.

The vulnerability, discovered by a Canadian security expert and brought to eBay's attention late last week, would allow a person who has the user ID of an account to go in through eBay's "Change Your Password" feature, change a user's password and gain access to the account.

Pursglove said people who potentially exploited the vulnerability would not have been able to see credit card numbers.

"What they can see is the credit card transaction history of a user," Pursglove said, calling the problem "very serious." The credit card numbers, he said, are behind a separate firewall.

While eBay has disabled access to that security hole, the company is still working on a fix for an earlier problem involving so-called dictionary attacks. These attacks utilize a bot, or an automated program, to find passwords for known eBay user IDs by combing though a list of common passwords and a dictionary of words.

EBay has said that the number of accounts compromised by dictionary attacks has been no more than the "low triple digits." The company has also said that less than one one-hundredth of 1 percent of its listings end in confirmed cases of fraud.

"We're working on it right now," Pursglove said, adding that changes to the login procedure would be in place in four to six weeks. "We think it will make it harder for these (attacks) to work."

Security experts have criticised the company's log-in system, saying that because it generally transmits passwords and account information in plain text, it is vulnerable to "packet sniffers," programs that can monitor the transmission of data between computers.

EBay has also repeatedly warned members in recent months about another, more low-tech scam: fraudulent e-mail messages that purport to come from the company but link to bogus Web sites that ask for their passwords or other account information.

For everything Internet-related, from the latest legal and policy-related news, to domain name updates, see ZDNet UK's Internet News Section.

Have your say instantly, and see what others have said. Go to the Telecoms forum.

Let the editors know what you think in the Mailroom.