Auctionsbytes reports that Vladuz the Romanian hacker is back on eBay. eBay themselves have confirmed that he was able to gain access to “a very small number” of accounts, which he then suspended. There’s some indication that he targetted those who have been critical of him on eBay message boards: one user for example received an email quoting his own post wishing that Vladuz would get caught, with the comment “Oh ya? F*** you.” Another received an email saying “Stop saying sh*t stuff about me, a**hole” which was signed by Vladuz: when she tried to sign into her eBay account, she received an alert that it had been suspended due to seller non-performance issues.
eBay spokesperson Nichola Sharpe said that “the fraudster did this by accessing externally visible servers not by hacking into the eBay site.” There’s no indication of what other information may have been on these servers, though eBay did work very quickly to restore the accounts: most seem to have been returned to their owners within an hour, and eBay are now contacting those affected to reassure them that their information is secure. Nichola said “at no point did the fraudster get any access to financial information or other sensitive information.”
8 Responses
Re: eBay spokesperson Nichola Sharpe said that “the fraudster did this by accessing externally visible servers not by hacking into the eBay site.â€
The above seems a very precise but curious phrase. If the Auctionbytes report is correct it implies that without ‘hacking’ (breaking into parts of the site that are otherwise closed or password protected) that it is possible for a person external to eBay to perform functions that should only be available internally (change other users passwords, NARU sellers, end auctions,and so on).
External mail routing servers, acces gateway servers, search system servers, and so on may be visible externally, everything else should be internal and just serving data to password validated users. There has been a recent change to introduce a single sign on, shared with liveworld for the forums, perhaps there was a problem with that implementation. Perhaps the breach dates back to the previously compromised customer service accounts. Pending a final closure of the problem eBay won’t want to release too much detail.
There seems to have been an impressive speed of response by eBay to restore the compromised accounts and they should be commended for that.
What we now need is a simple public statement from eBay explaining in very broad terms what (if any) data/processes were exposed.
I must admit, I don’t know enough about how it all works to understand why hacking an “externally visible server” which can still NARU accounts is technically not hacking eBay. TBH, I’m quite happy to not have the details of this out there, so long as they close the seemingly never-ending set of loopholes that Vladuz and his friends manage to wiggle through. And then tell us all they’re closed.
I very much agree.
eBay need to balance the release of information versus the risks of additional threats or negative press treatment. I think they are playing it right save for a clear statement about what (not how) was or was not exposed. It’s about customer confidence. They are dammed either way but it’s better to be open about any faults (having closed the holes) than see a long term nit picking and negative press.
I don’t know exactly what happened in this case and wouldn’t like to guess. However something similar could be done as simply as a re-direct to a spoof page which says you’re suspended when you’re not. It could theoretically be done based on the user’s IP address with a man in the middle attack without even touching eBay’s servers at all.
Yes there are many possibilities. The method is less important rhan the issue of customer confidence.
Hence the suggestion that simple ‘comfort’ eBay press release might help.
No doubt it will arrive in due course.
Well Allotment eBay have provided an explanation (Found courtesy of Ina)
“This fraudster found very old administrative functions that had not been deactivated several years ago when we changed the security of our internal systems.“
Right, so I’ve said it before, I’ll say it again:
eBay need to rebuild their site from the ground up.
The security error was unfortunate (sloppy) to say the very least BUT it’s good to see eBay being open about what had happened. Far better to deal with a company which admits to the mistakes it makes than with one which seems to be in denial.
Re “re-build the site from the ground up”. They have done it a few times, it’s a continuous process (will send you an email), and the scale of that operation is impressive. They do seem to have a history of poor change management, of generally good ideas implemented badly and then corrected later. A ‘rush to market and fix it later ‘ feel about their software change process. Recently, I think they have been getting a little better at software change and to be giving more attention to their image in terms of customer care.
Still a way to go though