X

eBay plugs password security hole

A password function that the online auction site temporarily disabled to address a "very serious" security hole has been re-enabled. The hole could have compromised customer accounts.

2 min read
eBay temporarily disabled a password function on its Web site Tuesday to close a "very serious" security hole that could have given hackers access to eBay users' accounts, the company said.

eBay disabled the "Change Your Password" function in an effort to close the vulnerability, eBay spokesman Kevin Pursglove said Tuesday, adding that it would remain disabled until eBay put a fix in place. The company re-enabled the feature early Wednesday morning.

"We don't see (the vulnerability) existing in other features," and no customers have complained, Pursglove said. "From what we can tell right now, we have not seen anybody's account compromised in any way."

Greg Shipley, chief technology officer of security consulting firm Neohapsis, blamed the problem on a "design failure" in eBay's authentication system.

"It's just a bad design. It's kind of disappointing coming from a company the size of eBay," Shipley said.

The vulnerability, discovered by a Canadian security expert and brought to eBay's attention late last week, would allow a person who has the user ID of an account to go in through eBay's Change Your Password feature, change the person's password and gain access to the account.

Pursglove said people who may have exploited the vulnerability would not have been able to see credit card numbers.

"What they can see is the credit card transaction history of a user," Pursglove said, calling the problem "very serious." The credit card numbers, he said, are behind a separate firewall.

Though eBay has disabled access to that security hole, the company is still working on a fix for an earlier problem involving so-called dictionary attacks. These attacks use a bot, or an automated program, to find passwords for known eBay user IDs by combing though a list of common passwords and a dictionary of words.

eBay has said that the number of accounts compromised by dictionary attacks has been no more than the "low triple digits." The company has also said that less than one one-hundredth of 1 percent of its listings end in confirmed cases of fraud.

"We're working on it right now," Pursglove said Tuesday, adding that changes to the login procedure would be in place in four to six weeks. "We think it will make it harder for these (attacks) to work."

Security experts have criticized the company's login system, saying that because it generally transmits passwords and account information in plain text, it is vulnerable to "packet sniffers," programs that can monitor the transmission of data between computers.

eBay has also repeatedly warned members in recent months about another, more low-tech scam: fraudulent e-mail messages that purport to come from the company but link to bogus Web sites that ask for passwords or other account information.