New security problems keep eBay on edge

Independent security pros are finding all kinds of flaws in eBay's networks

eBay's security team isn't going to get a break for a while.

Following an attack disclosed last week that exposed sensitive information of up to 145 million people, the auction giant is scrambling to repair several other problems reported in its vast network by security enthusiasts.

"As a company, we take all vulnerabilities reported to us very seriously, evaluating any reported issue within the context of our entire security infrastructure," wrote Ryan Moore, lead manager of eBay's business communications, in an email to IDG News Service.

EBay has long been a target for cybercriminals. It is the seventh most visited site in the U.S, according to statistics from Amazon's Alexa Web analytics unit. Its combination of a marketplace and payments platform, PayPal, means it holds sensitive data and poses opportunity for fraudsters.

Three U.S. states -- Connecticut, Florida and Illinois -- are jointly investigating eBay's data breach, a sign that regulators and law enforcement are taking a keen interest in how consumer data is protected following Target's data breach last year.

EBay's size puts it in the league of companies such as Facebook, Google and Microsoft. All run large networks constantly prodded by "black hat" hackers, those who are seeking to damage a company or profit from attacks, and "white hats," who alert companies to problems.

Yasser Ali, a 27-year-old who lives in Luxor, Egypt, said it took him all of three minutes last week to find a serious vulnerability that could let him take over anyone's eBay account if he knows a person's user name, which is public information.

Ali shared a video with eBay showing how the flaw could be exploited, he said in a phone interview Tuesday night. He hasn't received a response from eBay, but said the video was viewed by company officials 17 times, according to a statistics counter on the clip. Moore said eBay has now fixed the bug, and Ali plans to release details of it.

Ali, who quit his job as a mechanical engineer last month to focus on information security, has found other bugs before in eBay and is named in a list of security gurus who have helped out. But he said he has little incentive to continue analyzing eBay since the company doesn't pay for vulnerability information.

"They are not like Google's security team, and they are not like Facebook," Ali said, noting those companies have close ties with the research community. "This will kill their reputation."

Google, Facebook, Yahoo and others pay independent researchers rewards up to thousands of dollars for security information. The payments are an incentive for security enthusiasts, who spend long hours on their own time to look for flaws.

The crowd-sourced approach is more efficient for companies, since they benefit from having many pairs of eyes on their operations. One study showed the rewards given out work out to be cheaper than hiring more full-time security staff.

Instead of payment, EBay recognizes researchers if they responsibly disclose flaws and do not publish public information before a flaw is patched. A long list of contributors is on its Responsible Disclosure Acknowledgement Page, and Ali is among them.

Joshua Rogers, a teenager who lives in Melbourne, said he started looking around eBay's website just prior to the data breach because he was bored. Rogers is notable for finding a SQL injection flaw late last year in the website of Public Transport Victoria, which runs that Australian state's transport system.

He said via email he's found several cross-site scripting vulnerabilities and an information leakage flaw in eBay. He also found a SQL injection vulnerability, which was fixed by eBay about four days ago.

Moore said that eBay allows "active content" on its pages, which uses JavaScript code and the multimedia program Flash from Adobe Systems. It allows sellers to make their content more attractive, he said.

But he wrote "we are aware that active content may be also used in abusive ways."

EBay's security system detects when malicious code is inserted on the website, and it bans the use of some kinds of active content, Moore wrote. Product listings that have malicious content are removed.

One problem involving Flash was reported to eBay last week by 19-year-old Jordan Lee Jones, who lives in Stockton-on-Tees, U.K. The flaw allowed him to upload shellcode to eBay's network, which would have allowed him to deface part of the website or download the backend database.

Moore said eBay is working on a fix.

Send news tips and comments to Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusionsecuritydata breachebay

More about Adobe SystemsAdobe SystemsAmazon Web ServiceseBayFacebookGoogleIDGMicrosoftPayPalYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts