eBay closes password security hole

Online auction powerhouse eBay Inc. closed a security hole in a password-maintenance feature late Tuesday that could have allowed attackers to take over a user’s account and commit fraud.

The vulnerability existed in the feature that allowed registered eBay users to change the passwords that they use to log into the site, according to Kevin Pursglove, senior director of communications at the San Jose, Calif.-based, company. Though the “change your password” feature was taken offline around 5 p.m. Pacific time Tuesday due to the security hole, the feature has since been fixed and put back online, he said.

The hole would have allowed an attacker who knew the publicly available name that an eBay member bids under, to change that user’s password, thereby taking over the account, Pursglove said. eBay was first notified that the attack was possible by a user on March 27 or 28, Pursglove said. Users who attempted to change their passwords after the service was disabled got error messages, he added.

Although the potential existed for attackers to have access to accounts, no credit card or personal information would have been available to them, because that data is stored on separate servers and behind separate firewalls, Pursglove said.

eBay is “in the process right now of reviewing all the password changes that have come in to us recently,” Pursglove said, adding that the company has not yet received any user reports of fraud or account hijacking related to the vulnerability.

The company is “still in the process of reviewing” how the hole occurred, he said.

eBay users have been hit with other account troubles recently. Some users have reported having their accounts hijacked in recent months, though Pursglove said those incidents are unrelated to Tuesday’s security hole.

eBay can be found on the Web at http://www.ebay.com

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now