Researcher Discovers Second eBay Vulnerability

No, the drama around the eBay breach is not over. Beyond probes by government agencies, a security researcher now says a second flaw could be used to hijack member accounts at the online auction platform.

According to Jordan Lee Jones, a college student in the United Kingdom, thereEUs a second vulnerability that remains open to hackers. Jones said he notified eBay via e-mail on Friday and got no response. He has published what he calls the EUeBay cross-site scripting codeEU on his blog.

HereEUs the backstory: Last Tuesday, eBay asked users to change their passwords in the wake of a cyberattack that compromised one of its databases. Unfortunately, it was a database that included eBay customers' names, encrypted passwords, e-mail addresses, physical addresses, phone numbers and dates of birth.

The PayPal Connection

We caught up with Dwayne Melancon, chief technology officer for Tripwire, to get his take on the unraveling eBay data breach story. He told us it appears the hack involved securely encrypted passwords, which makes it more difficult to gain access to users' eBay accounts en masse because it would require brute force decryption of passwords. But then he continued with a EUhowever.EU

EUHowever, the fact that user e-mail addresses, physical addresses, and dates of birth were taken in the breach is more concerning,EU Melancon said. EUCriminals could use that information to masquerade as eBay customers on other sites, or perhaps use that information to 'social engineer' their way into users' other accounts on other services. Unlike the passwords, the other user-specific information was not encrypted and therefore easily reused by attackers.EU

What does Melancon suggest? For starters, eBay users should be required -- not simply asked -- to reset their passwords. WhatEUs more, password complexity rules should be in place to ensure users select complex passwords, he said. He also charged individual users...

Comments are closed.