http://www.newsbytes.com/news/02/175614.html By Brian McWilliams, Newsbytes SAN JOSE, CALIFORNIA, U.S.A., 02 Apr 2002, 10:27 PM CST Responding to a report of a severe security flaw, Ebay [NASDAQ:EBAY] has temporarily disabled a system at its online auction site for changing user passwords. Ebay spokesman Kevin Pursglove said the firm took the action to prevent criminals exploiting a vulnerability in the site's authentication system that potentially enabled attackers to steal Ebay users' accounts. "This is a temporary solution until we can address the issue. We now have to begin a process," said Pursglove. The flaw, reported to Ebay last week by a Canadian security expert, gave attackers the ability to easily change the password of nearly any Ebay user, as long as the attacker knew the victim's user ID. According to the expert, who identified himself only by his alias, "Null," the security hole at Ebay potentially allowed attackers to modify victims' auctions and bids. "It's good to hear Ebay is taking steps to solve this problem," Null said in an interview this evening. In a document submitted to Ebay Friday, Null detailed how the company's authentication system, which involved the use of a "hash" of numbers and letters in the source code of its password pages, could be subverted. By cutting and pasting the special string of data from one page at the site to another, an attacker could bypass Ebay's requirement that users must be logged in before they can change their passwords, the document said. Using a test Ebay account, Newsbytes confirmed that the technique enabled an unauthenticated user to reset another user's password. When initially notified of the security issue Friday, Pursglove told Newsbytes that the company was already aware of the scenario and had no immediate plans to correct the flaw. Pursglove acknowledged this afternoon that the vulnerability identified by Null was new and was being fully investigated by Ebay. Using the "view source" option in his Web browser, Null discovered that Ebay was hiding a hashed version of the Ebay customer's user ID in the HTML code of a page for requesting a password hint. It was still possible this evening to force Ebay's system to generate the "hash" corresponding to any user's ID. But the second step of the attack, which included inserting the hash into a page for changing the user's password, failed and generated an "Input Error" message. An announcement board at Ebay's site this evening warned customers that the password change function was unavailable and that the company was working to correct the situation. Pursglove acknowledged that, in recent weeks, "a very small number" of Ebay users have been locked out of their accounts by scam artists who post fraudulent auctions in their names and rip off other Ebay customers. Ebay believes that some user accounts have recently been compromised by criminals using "cracking" programs that attempt to guess or "brute force" users' passwords. In addition, fraud artists have in the past created bogus sites designed to trick Ebay users into divulging their user IDs and passwords, Pursglove said. According to Ebay, the technique discovered by Null would not enable attackers to access victims' credit card numbers, although it would allow them to view the user's credit card transaction history. As a deterrent to fraud, Ebay previously e-mailed a notification to users when their passwords had been changed. The automatically generated message included the Internet protocol address of the computer used to reset the password. A review of Ebay's Billpoint site indicated that the password vulnerability identified by Null did not appear to affect the electronic payment service. Ebay is at http://www.ebay.com Billpoint is at http://www.billpoint.com - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Apr 03 2002 - 03:49:41 PST