back to article New XSS vuln hits eBay as rubbish passw0rds persist

eBay punters rushing to secure accounts could be selecting the world's worst passwords after the online tat bazaar was found accepting the most common and weakest passwords in contravention to its stated policy. eBay has been slowly asking its users to reset account passwords after it admitted last week that unknown criminals …


This topic is closed for new posts.
  1. silent_count

    Is it just me...

    ... who finds it curious that ebay is being all cagey about their "proprietary" hashing algorithm? I suspect they're trying to hide behind "proprietary" so that hopefully (from their perspective) nobody discovers that their hashing routine is just as crap as their ability to securely handle their other customer info.

    1. John H Woods

      Re: Is it just me...

      Indeed - the very first thing you learn when you start to understand cryptographic techniques is that you will never* be good enough to roll your own.

      *obviously there's always a slim chance that you are a maths genius in their twenties, and maybe you will have a contribution to make in a decade or two

    2. Sir Alien

      Re: Is it just me...

      Or "proprietary" is simply another term for "we don't want to admit storing plain text/weak passwords"

      I know of one game company that will not accept any non-alpha numeric characters in their passwords which seems to raise the suspicions of them storing plain text.


      1. Steve Graham

        Re: Is it just me... a limit of 20-characters is unneccessary unless you're actually storing them for your millions of customers.

        Another worry about "proprietary" implementations is that when I changed my password on PayPal (also 20-chars max) and used a character outside the 7-bit ASCII range, I was told that I could not have "an accent" in my password. Actually it was a symbol, but a hashing algorithm shouldn't care, right?

    3. Anonymous Coward
      Anonymous Coward

      Re: Is it just me...

      One wonders if a FOI request would be enough to compel them to reveal their encryption/hashing system????

      1. James Gwinnett

        Re: Is it just me...

        ebay isn't a government department so they'd laugh at your FOI request and file it with the rest of the emails they don't care about - say, in their general customer support inbox.

  2. Destroy All Monsters Silver badge
    Thumb Down

    Coder Kidz writing code under supervision of Suits ...

    ....then both falling down stairs.

    We need a "Film at 11" icon.

  3. The Dark Lord

    eBay PR

    Based on the tweet exchange I had with them, I'm not sure whether eBay's staffers would pass a Turing Test.

    They seemed unable to cope with the notion that the security of the user database was not dependent upon the newness of passwords contained therein, just kept repeating the "it's important for security to change your password" mantra.

    Clearly, we can only assume that eBay itself has no confidence in the encryption mechanism used to store users' passwords. One could hope that the ICO will use this as an opportunity to gain some tax receipts from an obfuscated multinational, but I doubt that they have even the strength of will to achieve that, much less be a force for change in the security landscape.

  4. Pascal Monett Silver badge

    A half-million in fines ? Who cares ?

    The real hit is going to be in consumer confidence. Hopefully it will cost them a lot more than that.

    1. Crazy Operations Guy

      Re: A half-million in fines ? Who cares ?

      Most consumers are idiots (especially on eBay) they'll forget about this the second a celebrity does something (such as saying something stupid or even just existing).

  5. Anonymous Coward
    Anonymous Coward

    "The company could face fines of up to £500,000 from the Information Commissioner's Office."

    But we all know bloody well it won't - a stern word of admonishment is about as tough as its likely to get. Fines far bigger than 500k should be automatic for companies of Ebay's size who are caught storing customer details unencrypted. There really is no excuse at all not to.

  6. Anonymous Coward
    Anonymous Coward

    eBay and password problems

    I changed my password a few months ago, before the latest eBay security crises, when I noticed that it wasn't case sensitive, i.e. I could type my password in capitals, lower-case or any combination of both and still successfully login. What's up with that?!?!

    1. Mad Chaz

      Re: eBay and password problems

      It's called a crapy `all case the same` plain text comparison.

      In other words, they don't encrypt passwords or they don't do it right.

      1. Anonymous Coward
        Anonymous Coward

        Re: eBay and password problems

        or they know the average IQ of their users and realise the number of complaints they'd get because users had inadvertently got caps-lock on.

        So the passwords are stored and compared as:

        hash( strtolower( $password ) )

        (or equivalent)

  7. Donut4000

    20 char limit?

    That's weird - when I changed my eBay password last week after the snafu, I used the password generator in 1Password to produce a 50 char alpha-numeric and non-pronouncable string that was accepted without fuss. I see from the articles screen grab that indeed 20 characters is a no-no.

    1. Sir Alien

      Re: 20 char limit?

      Who knows... maybe they simply truncate your password so when it gets spat out the other end it is only 10 characters. And then someone accidentally took that feature out and BAM, error.

      ICO probably like most say, will do nothing about it yet strange thing is the little guy in the same position would be in prison, fined a million pounds and lashed in public (ok the last one is a bit of drama added)

      1. Anonymous Coward
        Anonymous Coward

        Re: 20 char limit?

        It amazes me the number of sites that make no mention of what their rules on password length and allowed character types actually are, leaving you to guess. The 'better' version at least tells you its too long or only alpha numerics are allowed, far too many allow it, then lock you out.

        The variety MS uses on Onedrive suggests using letter and numbers up to 16 chars, then calls your randomised password crap whatever it is. But it does actually allow symbols (I suppose it might strip them) but still won't rate your password any better if it has them.

        Smaller sites seem to be much better at laying out their policy explicitly, but only a fraction of large ones get it right. Not exactly taxing to get someone to spend an hour writing it out, is it?

  8. Busby

    Why aren't the ICO fines capped on a per user basis. Say at 10k per user and if you really mess up that is the maximum you would face. At least then these massive corps may take security seriously.

    Unless the fine is set per user/customer exposed then Ebay Google etal can afford to ignore security safe in the knowledge any fine will be peanuts

  9. Crazy Operations Guy

    So many stupid pssword restrictions.

    A proper hashing algorithm is just going to digest the password and turn it into a fixed-length string of hex characters. It shouldn't matter what or how much you cram into the password field. The hashing algorithm should just see the password as a series of bits, nothing more.

    Whenever I see restrictions like this, it just screams "here be exploits!" and far too many times I find that the site is vulnerable to even the simplest of SQL injection attacks.

  10. TopOnePercent
    Thumb Down

    ICO are worthless

    They're just a tick box exercise so the government have delegated responsibility to someone.

    I've had various arms of the public sector wilfully breach the DPA in the past, and when reported to the ICO, they simply laughed it off. "We've written to <insert hopeless gov dept here> and reminded them of their responsibilities under the DPA".... well, yeah, but I'd already done that prior to raising the complaint.

    The only way the DPA will be taken seriously is with large mandatory penalties and enforced dismissals of those responsible. Anything else is tinkering around the edges of a system that doesn't work.

    1. Michael Dunn

      Re: ICO are worthless

      The enforced dismissals is the clincher; responsibility doesn't stop at the clerk/office worker actually making the mistake, they have supervisors and setters of security policy.

      A local authority justt laughs at a fine: therre are plenty of taxpayers! Start sacking officers and managers, and you could 'concentrate their minds.'

This topic is closed for new posts.

Other stories you might like

  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading
  • There are 24.6 billion pairs of credentials for sale on dark web
    Plus: Citrix ASM has some really bad bugs, and more

    In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.

    Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. 

    Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.

    Continue reading
  • Elasticsearch server with no password or encryption leaks a million records
    POS and online ordering vendor StoreHub offered free Asian info takeaways

    Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.

    Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.

    StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.

    Continue reading
  • Another ex-eBay exec admits cyberstalking web souk critics
    David Harville is seventh to cop to harassment campaign

    David Harville, eBay's former director of global resiliency, pleaded guilty this week to five felony counts of participating in a plan to harass and intimidate journalists who were critical of the online auction business.

    Harville is the last of seven former eBay employees/contractors charged by the US Justice Department to have admitted participating in a 2019 cyberstalking campaign to silence Ina and David Steiner, who publish the web newsletter and website EcommerceBytes.

    Former eBay employees/contractors Philip Cooke, Brian Gilbert, Stephanie Popp, Veronica Zea, and Stephanie Stockwell previously pleaded guilty. Cooke last July was sentenced to 18 months behind bars. Gilbert, Popp, Zea and Stockwell are currently awaiting sentencing.

    Continue reading
  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Millions of people's info stolen from MGM Resorts dumped on Telegram for free
    Meanwhile, Twitter coughs up $150m after using account security contact details for advertising

    Miscreants have dumped on Telegram more than 142 million customer records stolen from MGM Resorts, exposing names, postal and email addresses, phone numbers, and dates of birth for any would-be identity thief.

    The vpnMentor research team stumbled upon the files, which totaled 8.7 GB of data, on the messaging platform earlier this week, and noted that they "assume at least 30 million people had some of their data leaked." MGM Resorts, a hotel and casino chain, did not respond to The Register's request for comment.

    The researchers reckon this information is linked to the theft of millions of guest records, which included the details of Twitter's Jack Dorsey and pop star Justin Bieber, from MGM Resorts in 2019 that was subsequently distributed via underground forums.

    Continue reading
  • Ex-eBay security director to plead guilty to cyberstalking
    James Baugh faced trial over campaign against newsletter couple

    A now-former eBay security director accused of harassing a couple who wrote a critical newsletter about the internet tat bazaar is set to plead guilty to cyberstalking.

    James Baugh, of San Jose, California, was charged with conspiracy to commit cyberstalking and conspiracy to tamper with witnesses, alongside six former colleagues in a baffling case brought in 2020.

    Five of them pleaded guilty; Baugh and David Harville, eBay's now-ex-director of global resiliency, denied the allegations and were due to go on trial.

    Continue reading
  • India gives local techies 60 days to hit 6-hour deadline for infosec incident reporting
    Customer data collection and retention requirements also increased, including for crypto operators

    India's Computer Emergency Response Team (CERT-In) has given many of the nation's IT shops a big job that needs to be done in a hurry: complying with a new set of rules that require organizations to report 20 different types of infosec incidents within six hours of detection, be they a ransomware attack or mere compromise of a social media account.

    The national infosec agency stated the short deadline is needed as it has identified "certain gaps causing hindrance in incident analysis."

    Organizations can use email, phone, or fax to send incident reports. Just how the analog mediums will improve improve analysis gaps is uncertain.

    Continue reading
  • Coca-Cola probes pro-Kremlin gang's claims of 161GB data theft
    Life tastes not so good right now

    Coca-Cola confirmed it's probing a possible network intrusion after the Stormous cybercrime gang claimed it stole 161GB of data from the beverage giant.

    "We are aware of this matter and are investigating to determine the validity of the claim," Coca-Cola communications global vice president Scott Leith told The Register on Tuesday. "We are coordinating with law enforcement."

    The ransomware gang, which has declared its support for the Russian government's illegal invasion of Ukraine, this week bragged it "hacked some of the company's servers and passed a large amount of data inside them without their knowledge." It's now trying to sell the stolen data for about $64,000, or nearest offer "depending on the amount of data you want," Stormous wrote on its website where it leaks pilfered information.

    Continue reading

Biting the hand that feeds IT © 1998–2022