Following an attack disclosed last week that exposed sensitive information of up to 145 million people, the auction giant is scrambling to repair several other problems reported in its vast network by security enthusiasts.
EBay has long been a target for cybercriminals. It is the seventh most visited site in the U.S, according to statistics from Amazon’s Alexa Web analytics unit. Its combination of a marketplace and payments platform, PayPal, means it holds sensitive data and poses opportunity for fraudsters.
Three U.S. states—Connecticut, Florida and Illinois — are jointly investigating eBay’s data breach, a sign that regulators and law enforcement are taking a keen interest in how consumer data is protected following Target’s data breach last year.
EBay’s size puts it in the league of companies such as Facebook, Google and Microsoft. All run large networks constantly prodded by “black hat” hackers, those who are seeking to damage a company or profit from attacks, and “white hats,” who alert companies to problems.
Yasser Ali, a 27-year-old who lives in Luxor, Egypt, said it took him all of three minutes last week to find a serious vulnerability that could let him take over anyone’s eBay account if he knows a person’s user name, which is public information.
Ali shared a video with eBay showing how the flaw could be exploited, he said in a phone interview Tuesday night. He hasn’t received a response from eBay, but said the video was viewed by company officials 17 times, according to a statistics counter on the clip. Moore said eBay has now fixed the bug, and Ali plans to release details of it.
Ali, who quit his job as a mechanical engineer last month to focus on information security, has found other bugs before in eBay and is named in a list of security gurus who have helped out. But he said he has little incentive to continue analyzing eBay since the company doesn’t pay for vulnerability information.
“They are not like Google’s security team, and they are not like Facebook,” Ali said, noting those companies have close ties with the research community. “This will kill their reputation.”
Professional bug hunters help
Google, Facebook, Yahoo and others pay independent researchers rewards up to thousands of dollars for security information. The payments are an incentive for security enthusiasts, who spend long hours on their own time to look for flaws.
The crowd-sourced approach is more efficient for companies, since they benefit from having many pairs of eyes on their operations. One study showed the rewards given out work out to be cheaper than hiring more full-time security staff.
Instead of payment, EBay recognizes researchers if they responsibly disclose flaws and do not publish public information before a flaw is patched. A long list of contributors is on its Responsible Disclosure Acknowledgement Page, and Ali is among them.
Joshua Rogers, a teenager who lives in Melbourne, said he started looking around eBay’s website just prior to the data breach because he was bored. Rogers is notable for finding a SQL injection flaw late last year in the website of Public Transport Victoria, which runs that Australian state’s transport system.
He said via email he’s found several cross-site scripting vulnerabilities and an information leakage flaw in eBay. He also found a SQL injection vulnerability, which was fixed by eBay about four days ago.
But he wrote “we are aware that active content may be also used in abusive ways.”
EBay’s security system detects when malicious code is inserted on the website, and it bans the use of some kinds of active content, Moore wrote. Product listings that have malicious content are removed.
One problem involving Flash was reported to eBay last week by 19-year-old Jordan Lee Jones, who lives in Stockton-on-Tees, U.K. The flaw allowed him to upload shellcode to eBay’s network, which would have allowed him to deface part of the website or download the backend database.
Moore said eBay is working on a fix.