|
Expired Domains Expose EBay
Security Glitch
eBay's security was called into
question twice this week as separate sources reported loopholes in
the "log-in" system that allowed hackers to gain access to
users' accounts.
The first report, by Europe's largest computer magazine
COMPUTERBILD, charges a vulnerability exists involving the
"secret" security question eBay users set up when first
registering on the site. The secret question is used if a person has
forgotten their password, and purportedly includes a question that
only the user would know, such as a pet's name. COMPUTERBILD reports
that they were able to quickly find instances where the answer to
the secret question was included in a user's "About Me"
page. (full story can be found here)
The second eBay log-in vulnerability was discovered this
week by AuctionBytes and confirmed by two Internet security experts.
AuctionBytes purchased a domain name that had recently
become available after its original owner let the registration
expire. After activating the domain and setting up a mailbox,
AuctionBytes began to receive hundreds of Spam messages addressed to
former employees of the site - over 20 different email addresses in
all.
Copying and pasting some of these email addresses into
eBay's "Search by Seller" search box, allowed AuctionBytes
to pull up IDs of people who had previously worked for the Site
originally owning the domain name. These employees had never
bothered to change their contact email address on eBay when the
company dissolved.
Although AuctionBytes did not attempt to hack into any
of the idle accounts, it was evident that it would be easy to gain
access to the account by using the "send me a new
password" feature, since we now owned the domain where all
emails would be sent. Once a new password is sent to the
"expired" email address, the recipient is verified and
able to access all areas of the account, in effect,
"hijacking" the account.
How simple was it to do this? An expired domain can be
purchased for under $10 and set up with a "catch-all"
mailbox where these email addresses can be collected. By entering
the email addresses that we collected into eBay's log-in page and
requesting that password information be sent to us, AuctionBytes
could have quickly accessed over half a dozen eBay accounts that had
been idle since July 2000. One of the accounts came with 48 feedback
points attached to the ID.
"It sounds really bad and quite clever," said
Richard Smith, an Internet security and privacy consultant based in
Cambridge, Mass. "This points out that the whole idea of
recovering passwords is fraught with problems." Smith also
acknowledged that this problem could potentially affect expired
Hotmail and Yahoo! email addresses that have eBay ID's attached to
them.
Kevin Pursglove, eBay's spokesperson, did not know if
eBay was aware that this problem existed, and he was unable to get
back to AuctionBytes with additional information before press time.
One of the ways that this problem might be circumvented,
according to Chris Hoofnagle, Deputy Council of the Electronic
Privacy Information Center in Washington, DC, is for eBay to remove
user IDs after a certain period of inactivity. "Companies with
greater transaction costs do this. If you don't use the service
after a certain period, they cancel your account," said
Hoofnagle. "That check doesn't seem to exist in the online
world."
EBay reports over 60 million registered users on its
site, approximately 30 million who eBay defines as active users,
leaving another 30 million accounts that have not been accessed
within the past year.
eBay uses the number of registered users as a metric to
assess performance, along with Gross Merchandise Sales (GMS) and
number of items listed on the site.
Source: auction bytes
Want To Know
How Popularity OnSnap finds expired and on-hold domains , Then Please
check the How
does it work? page.
Screen shots of
Popularity OnSnap in action can be viewed here.
Download the 30
Day Free Demo version of expired domain name software, that has the ability to create
instant traffic .
|
