[ISN] Ebay Takes Action To Plug Password Hole

From: InfoSec News (isnat_private)
Date: Wed Apr 03 2002 - 00:45:29 PST

  • Next message: InfoSec News: "[ISN] Miami Judge Drops Hacker Conviction"

    By Brian McWilliams, Newsbytes
    02 Apr 2002, 10:27 PM CST
    Responding to a report of a severe security flaw, Ebay [NASDAQ:EBAY]
    has temporarily disabled a system at its online auction site for
    changing user passwords.
    Ebay spokesman Kevin Pursglove said the firm took the action to
    prevent criminals exploiting a vulnerability in the site's
    authentication system that potentially enabled attackers to steal Ebay
    users' accounts.
    "This is a temporary solution until we can address the issue. We now
    have to begin a process," said Pursglove.
    The flaw, reported to Ebay last week by a Canadian security expert,
    gave attackers the ability to easily change the password of nearly any
    Ebay user, as long as the attacker knew the victim's user ID.
    According to the expert, who identified himself only by his alias,
    "Null," the security hole at Ebay potentially allowed attackers to
    modify victims' auctions and bids.
    "It's good to hear Ebay is taking steps to solve this problem," Null
    said in an interview this evening.
    In a document submitted to Ebay Friday, Null detailed how the
    company's authentication system, which involved the use of a "hash" of
    numbers and letters in the source code of its password pages, could be
    By cutting and pasting the special string of data from one page at the
    site to another, an attacker could bypass Ebay's requirement that
    users must be logged in before they can change their passwords, the
    document said.
    Using a test Ebay account, Newsbytes confirmed that the technique
    enabled an unauthenticated user to reset another user's password.
    When initially notified of the security issue Friday, Pursglove told
    Newsbytes that the company was already aware of the scenario and had
    no immediate plans to correct the flaw.
    Pursglove acknowledged this afternoon that the vulnerability
    identified by Null was new and was being fully investigated by Ebay.
    Using the "view source" option in his Web browser, Null discovered
    that Ebay was hiding a hashed version of the Ebay customer's user ID
    in the HTML code of a page for requesting a password hint.
    It was still possible this evening to force Ebay's system to generate
    the "hash" corresponding to any user's ID. But the second step of the
    attack, which included inserting the hash into a page for changing the
    user's password, failed and generated an "Input Error" message.
    An announcement board at Ebay's site this evening warned customers
    that the password change function was unavailable and that the company
    was working to correct the situation.
    Pursglove acknowledged that, in recent weeks, "a very small number" of
    Ebay users have been locked out of their accounts by scam artists who
    post fraudulent auctions in their names and rip off other Ebay
    Ebay believes that some user accounts have recently been compromised
    by criminals using "cracking" programs that attempt to guess or "brute
    force" users' passwords. In addition, fraud artists have in the past
    created bogus sites designed to trick Ebay users into divulging their
    user IDs and passwords, Pursglove said.
    According to Ebay, the technique discovered by Null would not enable
    attackers to access victims' credit card numbers, although it would
    allow them to view the user's credit card transaction history.
    As a deterrent to fraud, Ebay previously e-mailed a notification to
    users when their passwords had been changed. The automatically
    generated message included the Internet protocol address of the
    computer used to reset the password.
    A review of Ebay's Billpoint site indicated that the password
    vulnerability identified by Null did not appear to affect the
    electronic payment service.
    Ebay is at http://www.ebay.com
    Billpoint is at http://www.billpoint.com
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Apr 03 2002 - 03:49:41 PST