eBay waited over 30 days before they fixed password stealing flaw
eBay has been criticised for taking over a month to fix a security flaw that could have left millions of user’s passwords at risk.
The security flaw was discovered on 11th December by a security researcher known only as MLT. He contacted eBay the same day he found the flaw, but revealed a month later eBay had only just fixed the flaw.
MLT said eBay “only rushed to patch the security flaw after the media contacted them”. In a blog post MLT described the security flaw as “fairly basic”. He demonstrated just how hackers could have set up a fake login page with ‘ebay.com’ in the URL, this would then trick users in to revealing their usernames and passwords.
The hackers could then lure victims to these pages by sending out a phishing email that contained links to a bogus login page. Once the hackers have stolen the usernames and passwords they could then send scam emails to millions of other users or even bid on stuff.
eBay has blamed a “miscommunication” with MLT for the delay in fixing the security flaw.
An eBay spokesman has been quoted saying “we’re aware of this particular issue, which involves fraudsters attempting to phish customers using a malicious code in very limited case’s, this type of scheme is extremely rear on our platform”.
There is no sign that the hacker’s have exploited the security flaw and stolen any passwords, but it’s an indication of just how many vulnerabilities’ lie undiscovered within the websites we all use daily.
This is not the first time eBay has reacted slowly to report a security flaw, back in 2015, an Estonian Researcher Jaanus kääp said eBay had not fixed security venerability he found and emailed them about 4 times in 12 months.
Hackers have been exploiting an old vulnerability in eBay that allows them to steal your passwords if you click on their fake listing.
There has been yet another eBay hack exposed, just four months after criminals had stolen millions of passwords, which forced everyone that has an eBay account to change their passwords.
In the newest wave of attacks, criminals are creating fake listings that will show up in search results. Clicking on one of these fake listing will redirect you to a fake eBay sign in page that will then ask for your user ID and password. If you did enter your details, you would effectively be handing them over your account, they can then try to buy items using your PayPal account, or even log in to your email account (as its shown in your eBay account details), were they can then look for sensitive information.
Unlike other types of phishing scams, these fake listings will look authentic – they will not have any spelling mistakes or badly worded phrases, they are that good they can fool the most cautious shoppers, these bogus listing can be anywhere on eBay.
According to the BBC, the first fake listing, was reported to be selling a digital camera, this was then reported to eBay back in February. Early in September there was yet another fake listing but this time for an iPhone. The BBC said this particular fake listing was still on eBay’s site 12 hours after it was reported and was only taken off when the BBC contacted eBay themselves, but leaving the listing live for so long was a huge mistake by eBay.
The BBC has done an investigation that uncovered 64 fake listings over a 15-day period in September, the listings were over a wide range of goods and not just limited to electrical goods. Kaspersky’s senior security researcher David Emm, thinks this is just the tip of the iceberg. He went on to say “Its certainly possible that there may be more, Even if there aren’t, there is no way of knowing just how many eBay customers have clicked the links and been redirected”.
The worrying thing is the listings don’t simply contain a malicious link in the product description; this would be a relatively straightforward type of attack. Instead, the hackers have somehow managed to tweak eBay’s code so they can infiltrate the search results; this exposes a deep security flaw in the sites security.
eBay has yet to comment on the BBC’s claims of finding at least 64 malicious listings, A spokesmen for eBay did confirm the fake iPhone listing and said it was taken down as soon as they were aware of it.
So what can you do to say safe?
Most reputable antivirus programs will come with a good anti-phishing tool, which should help identify fake eBay pages, but you should check to see if your anti-virus has this.
Avast antivirus analyst Jirl Sejtko also warns users to be “suspicious if a site requests you to log in or wants you to provide any personal details when you would not normally do so”. In the eBay attacks, by clicking on the listing it would then take you to a fake sign-in page, eBay would never normally ask you to sign in at that point. Most shopping sites will only want you to login when you purchase something.
The message from the experts is always defend your self-using good security software and always look out for anything odd. eBay’s security should be more sophisticated which would prevent this kind of attack. If hackers do mange to sneak past eBay’s security they need to react a lot faster, doing this would help its damaged reputation to recover.