eBay’s security headaches keep piling up

The story about the massive cyber attack that may have compromised as many as 145 million eBay accounts a few months ago – but that was revealed by the online retailer only last week – continues to develop.

When eBay went public about the breach last week, it recommended that 145 million users change their passwords. Now, however the password-changing process has come under fire. Some security experts and tech media outlets say that it actually accepts new passwords that eBay’s own security policies describe as too weak.

As if that weren’t bad enough, the data breach has also led to a joint inquiry by a number of U.S. state attorneys-general and a possible investigation by the Information Commissioner (ICO) in the U.K. The ICO could impose fines as high as £500,000 ($914,330).

“eBay is, on the face of it, a very serious breach,” Information Commissioner Christopher Graham told BBC Radio. “The message for business is you’ve got to be better at security and you’ve got to be better with our personal data.” The ICO previously fined Sony £250,000 ($457,020) for a data breach, he noted.

In an article in The Register, Darren Paul describes his own experience when changing his eBay password.

“This writer has confirmed eBay accepted the most commonly used password as revealed in 2012 during its user password reset process,” Paul writes. “It also permitted those combinations explicitly marked unacceptable by eBay.”

Paul says the password system on eBay (Nasdaq: EBAY) flagged “high entropy” (randomness) passwords generated by the LastPass password management service as weak and suggesting riskier, more common alternatives would be more secure.

Security experts also claim to have found a new vulnerability. Jordan Lee Jones, a U.K. security researcher, reported a cross-site scripting (XSS) flaw in eBay’s labs page, which Paul said was offline at time of reporting. Jones had reported another vulnerability which eBay then patched.

A German security expert reported a second, unpatched XSS vulnerability which attackers could use to create auction pages with unauthorized Javascript that could steal users’ cookies.

“Ebay reused the cookies across sessions regardless of whether the victim logged out their account or reset passwords,” Paul reported.

Andrew Brooks
Andrew Brooks
Andrew Brooks is managing editor of IT World Canada. He has been a technology journalist and editor for 20 years, including stints at Technology in Government, Computing Canada and other publications.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web