back to article Password bug let me see shoppers' credit cards in eBay ProStores, claims infosec bod

A serious vulnerability that potentially allowed shoplifters to empty eBay ProStores shops and swipe customer credit cards has been fixed – according to the security researcher who says he found the hole. Mark Litchfield, an infosec pro at Securatary, told us he discovered a flaw in eBay-owned ProStores that not only opened …


This topic is closed for new posts.
  1. edge_e

    you'd hope....

    That a company as big as ebay would know better.

    beer because i'm crying into it

    1. Tom 13

      Re: you'd hope....

      They do. But the problem with anything that big is the difficulty in controlling it. You can put out all the memos, directives, and policies you want, but if there's a break in the chain of command, it won't happen. The longer the chain of command, the more likely the break. And nobody wants to report bad news up. It can all be handled at the level where it's discovered without need to worry the bosses who wouldn't know how to fix it anyway, right?

  2. Sureo

    ...bought by eBay in 2005....

    The bugs were free.

    1. edge_e

      Re: ...bought by eBay in 2005....

      I agree they were free but that's 8 years they've had to fix it

  3. Davy Jones

    Litchfied stated. "...why would the full card information need to returned in clear text to the administrator?".

    As an administrator, you have the option to check or not check a box for "Show credit card information within administration". Any one that's smart has it un-checked.

    Also stated: "In short, it was possible to change the password of another administrator, then you could log in as that user with full administrative access to the store," Litchfied claimed.

    If you are logging in several times a day, I would think that this would be caught fairly quickly.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021