eBay has made its fortune from people spending money; it now has 162 million users, saw $82 billion of sales in 2015, receives 250 million search requests per day, and has an annual revenue in excess of $8.5 billion.
It might be reasonable, therefore, to expect the site to be one of the most secure on the entire web. Worryingly, it’s not.
In the last few years, eBay has been hit with seemingly endless hacks, data breaches, and security flaws. In this article, we take a look at some of the problems that eBay has encountered and use them to highlight the reasons why you should avoid the company.
The 2014 Hack
The most famous eBay breach occurred in late-February and early-March of 2014.
The Syrian Electronic Army (SEA) took responsibility for the attack, which stole up to 145 million users’ email addresses, physical addresses, phone numbers, dates of birth, and encrypted passwords. eBay claimed that no bank account details were revealed; the SEA said they had bank account details but would not misuse them.
Slow to Respond to Problems
Having all that data stolen is bad enough, but what’s worse is that it took eBay until May to make the details of the hack public.
Even after the delay, it was a botched response. Firstly, a post went up on eBay’s blog detailing the hack. That was then taken down again as eBay laboriously emailed all users to notify them. There was no homepage splash and no public press release or statement.
Users were furious. “Just wondering why I’m hearing this from BBC before eBay,” said one reader on the BBC’s website.
Eventually, the company released the following statement:
“After conducting extensive tests on its networks, we have no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats. However, changing passwords is a best practice and will help enhance security for eBay users.”
eBay then promised to implement a tool which would require users to change their password when they next logged in. It took several weeks to go live.
“It shouldn’t take this long to have something in place that forces users to change their passwords, and it should have let people know what was happening – it doesn’t take much time to send an email out for goodness sake,” security expert Alan Woodward told the BBC at the time. “It builds a picture of a firm with serious questions to answer.”
Lack of Encryption
The hack also raised questions over the company’s database security. Experts around the world questioned why the personal information they held was not encrypted.
Once again, eBay’s response was lukewarm:
“We provide different levels of security based on different types of information we’re storing and all financial information across all of our business is encrypted.”
The quote appeared to suggest that eBay didn’t view its users’ private information as important. No doubt 145 million people thought otherwise.
Lack of Concern About Individual Hacks
It’s not just the newsworthy hacks where the company has failed. Their customer service email system also leaves a lot to be desired, as evidenced by a famous post by a user called madonna_1966.
Her Yahoo email account was hacked so she moved quickly to notify eBay. Initially, they removed all her pending listings and temporarily put a block on her bank cards. So far, so good.
However, as she was dealing with them via a non-eBay registered email, they advised her that they’d sent instructions on how to restore her account to her eBay email account — the same one as she had just told them had been hacked. They had just given the hacker a free pass to her eBay account.
As she wrote in her post, “1) Why did they take 2-3 days to acknowledge my plea. 2) If they can send a reply to a new email address why can’t they send the instructions as well?“.
Given the way eBay reacted to the Spring 2014 hack, it was somewhat unsurprising that the world’s hackers descended on the company to try and find further flaws.
It didn’t take them long.
Any Account Hackable in Less Than a Minute
An Egyptian security researcher called Yasser Ali found that he could hack anyone’s account if he knew the account holder’s real name; in the age of social media, that’s readily available information.
It worked thanks to eBay using a random code value as an HTML form parameter. The random code was then repeated within the link generated by the automatic “reset password” email that’s sent to users, thus meaning that the email link stage could be bypassed.
He told eBay about the loophole in June 2014. It took eBay until September to do anything about it. During that time, any sophisticated hacker could have launched an automated mass password reset request attack for all accounts that were hacked in the Spring.
Are you starting to notice a common theme here?!
eBay Don’t Pay White Hat Hackers
Ali quit his job as a mechanical engineer to focus on information security and reportedly found several more bugs within the site.
However, unlike Google, Facebook, and other similar companies, eBay do not pay “good guy” hackers for vulnerability information. Instead, they merely publish a list of people who have helped out. Unsurprisingly, Ali stopped looking and now solely focuses on working with companies that do pay.
Who knows what other flaws are sitting there waiting to be discovered by would-be criminals?
The Problems Continue
There have been plenty more horror stories in the intervening years.
In late 2014 it was revealed that hundreds of listings had been created using cross-site scripting which, when clicked, directed users to everything from password harvesting scams to vicious malware. It was taking eBay more than 12 hours to remove each reported listing.
Elsewhere, a teenager from Australia called Joshua Rogers found an information leakage flaw and an SQL injection vulnerability. Once again, it took eBay several weeks to fix.
Refusal to Fix Flaws
Fast-forward to the present day and the company is still struggling.
In early 2016, eBay told security firm Check Point that it had no plans to fix a vulnerability that put users at risk of a wide range of threats, including phishing attacks and malware.
That attack utilizes JSF*ck and allows hackers to send users a legitimate page that contains malicious code. If a customer opens the page, Check Point claim it could “lead to multiple ominous scenarios that range from phishing to binary download.”
eBay was notified on 15th December but told Check Point on 16th January that they would not fix it.
In a statement, they said:
“As a company, we’re committed to providing a safe and secure marketplace for our millions of customers around the world. We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure.”
Are eBay Trustworthy?
As you will have ascertained, it seems eBay oscillate between incompetent and shambolic when it comes to security concerns.
Frankly, there is no way that a company of such size should have had so many things come to light in such a short period of time. We have to accept that things will occasionally go wrong, but eBay’s incredibly slow response time coupled with their lack of concern for serious flaws is extremely concerning. It seems like they have learned little in the last two years.
The bottom line is this: at best they will fix issues eventually, at worst, they’ll ignore them and hope no one notices.
Do these issues concern you? Have you fallen victim to one of the hacks? Do you trust the firm? As always, you can let us know your thoughts, opinions, and stories in the comments box below.