X

eBay downplays security hole

A JavaScript exploit could enable thieves to place auction bids using stolen member passwords.

Paul Festa Staff Writer, CNET News.com
Paul Festa
covers browser development and Web standards.
See full bio
Paul Festa
2 min read
eBay today acknowledged that its users are vulnerable to a password-stealing exploit, but minimized the threat it poses.

The exploit, demonstrated by Canadian security enthusiast Tom Cervenka, alters an eBay page with JavaScript to request the user name and password immediately after a user bids on an item. The password is then sent to the JavaScript author, who can use it to participate in other auctions without the user's knowledge.

JavaScript is a scripting language developed by Netscape Communications for executing actions on a Web page without user interaction. JavaScript, which is unrelated to Sun Microsystems' Java programming language, has wreaked bug havoc for Web sites and browsers, which have fended off numerous JavaScript-related privacy and security problems.

eBay acknowledged that the JavaScript exploit works, but minimized its importance.

"We know it's there, but you have to put it all in perspective," said eBay spokesman Kevin Pursglove. "We have a very open environment that lets individuals describe what they're selling, and JavaScript is there so people can make the best of their abilities to describe an item."

The exploit is dubbed "eBayla," a tongue-in-cheek reference to the Ebola virus, although Cervenka's exploit is not a computer virus.

Pursglove compared the security breach to having someone look over your shoulder as you enter a credit card number on a keypad.

"It's the same type of activity, and our way of preventing it is posting on announcement boards that we will never ask for the user's password except under limited circumstances," Pursglove said. "It's also helpful to change your password from time to time."

Furthermore, Pursglove said, eBay will not hold a user accountable for a bid that is entered using a pilfered password.

However, that policy may pose some practical problems for the online auction house, which generally does not allow users to retract bids. But Pursglove said eBay would be able to determine whether a user's bid had been falsified, even if the password had been stolen. He declined to spell out how eBay would verify the user's claim, but said part of that process would involve looking at the user's feedback rating and any history of trying to retract bids.

eBay also will investigate users who create this type of exploit on the service, Pursglove said, and anyone identified as having done it could be barred from the site altogether. eBay would also give their names to law enforcement authorities when appropriate, he added.

The company has not decided whether to take action against Cervenka and his demonstration, Pursglove said.