eBay waited over 30 days before they fixed password stealing flaw

eBay waited over 30 days before they fixed password stealing flaw

eBay waited over 30 days before they fixed password stealing flaw

 

eBay has been criticised for taking over a month to fix a security flaw that could have left millions of user’s passwords at risk.

The security flaw was discovered on 11th December by a security researcher known only as MLT. He contacted eBay the same day he found the flaw, but revealed a month later eBay had only just fixed the flaw.

MLT said eBay “only rushed to patch the security flaw after the media contacted them”. In a blog post MLT described the security flaw as “fairly basic”. He demonstrated just how hackers could have set up a fake login page with ‘ebay.com’ in the URL, this would then trick users in to revealing their usernames and passwords.

The hackers could then lure victims to these pages by sending out a phishing email that contained links to a bogus login page. Once the hackers have stolen the usernames and passwords they could then send scam emails to millions of other users or even bid on stuff.

eBay has blamed a “miscommunication” with MLT for the delay in fixing the security flaw.
An eBay spokesman has been quoted saying “we’re aware of this particular issue, which involves fraudsters attempting to phish customers using a malicious code in very limited case’s, this type of scheme is extremely rear on our platform”.

There is no sign that the hacker’s have exploited the security flaw and stolen any passwords, but it’s an indication of just how many vulnerabilities’ lie undiscovered within the websites we all use daily.

This is not the first time eBay has reacted slowly to report a security flaw, back in 2015, an Estonian Researcher Jaanus kääp said eBay had not fixed security venerability he found and emailed them about 4 times in 12 months.

Share Button

Windows users are at risk from an old security flaw

Windows users are at risk from an old security flaw

Windows security flaw

Microsoft have admitted that the .

The bug was found in the SSL and TLS security technology that encrypts data being sent between web servers and your browser. This flaw could let a hacker force the data to use a weaker encryption; this will then make it easier to steal things like your personal information.

A French-based team of security experts announced they had discovered the bug on the 3rd March, but the scary part was it had been undetected since 1999.

Initially the flaw was believed to affect BlackBerry, Android phones and Apples Safari web browser, but two days later Microsoft announced it also affected its operating system as well.

Microsoft said they were investigating the flaw and will “take the appropriate action to protect their customers”. This will most probably mean a security update or perhaps an emergency patch outside the update schedule.

Other tech companies have acted quickly to fix this flaw. Google have updated their version of Chrome for Macs, Apple are expected to release a fix for safari the week beginning 9th March. Google have yet to say if they will update Android to fix this flaw.

Security experts have advised PC users to switch to Firefox s browser, as the FREAK vulnerable does not affect it. They also recommended that Android uses should only use Googles Chrome browser on there devices and not the default Android browser. Mac Users should also try and avoid using Safari until Apple releases their update.

Its been estimated that of the 14 million websites offering encryption, around five million still remain vulnerable to the flaw.

Share Button