eBay waited over 30 days before they fixed password stealing flaw
eBay has been criticised for taking over a month to fix a security flaw that could have left millions of user’s passwords at risk.
The security flaw was discovered on 11th December by a security researcher known only as MLT. He contacted eBay the same day he found the flaw, but revealed a month later eBay had only just fixed the flaw.
MLT said eBay “only rushed to patch the security flaw after the media contacted them”. In a blog post MLT described the security flaw as “fairly basic”. He demonstrated just how hackers could have set up a fake login page with ‘ebay.com’ in the URL, this would then trick users in to revealing their usernames and passwords.
The hackers could then lure victims to these pages by sending out a phishing email that contained links to a bogus login page. Once the hackers have stolen the usernames and passwords they could then send scam emails to millions of other users or even bid on stuff.
eBay has blamed a “miscommunication” with MLT for the delay in fixing the security flaw.
An eBay spokesman has been quoted saying “we’re aware of this particular issue, which involves fraudsters attempting to phish customers using a malicious code in very limited case’s, this type of scheme is extremely rear on our platform”.
There is no sign that the hacker’s have exploited the security flaw and stolen any passwords, but it’s an indication of just how many vulnerabilities’ lie undiscovered within the websites we all use daily.
This is not the first time eBay has reacted slowly to report a security flaw, back in 2015, an Estonian Researcher Jaanus kääp said eBay had not fixed security venerability he found and emailed them about 4 times in 12 months.