That a company as big as ebay would know better.
beer because i'm crying into it
A serious vulnerability that potentially allowed shoplifters to empty eBay ProStores shops and swipe customer credit cards has been fixed – according to the security researcher who says he found the hole. Mark Litchfield, an infosec pro at Securatary, told us he discovered a flaw in eBay-owned ProStores that not only opened …
They do. But the problem with anything that big is the difficulty in controlling it. You can put out all the memos, directives, and policies you want, but if there's a break in the chain of command, it won't happen. The longer the chain of command, the more likely the break. And nobody wants to report bad news up. It can all be handled at the level where it's discovered without need to worry the bosses who wouldn't know how to fix it anyway, right?
Litchfied stated. "...why would the full card information need to returned in clear text to the administrator?".
As an administrator, you have the option to check or not check a box for "Show credit card information within administration". Any one that's smart has it un-checked.
Also stated: "In short, it was possible to change the password of another administrator, then you could log in as that user with full administrative access to the store," Litchfied claimed.
If you are logging in several times a day, I would think that this would be caught fairly quickly.
Biting the hand that feeds IT © 1998–2021