back to article New XSS vuln hits eBay as rubbish passw0rds persist

eBay punters rushing to secure accounts could be selecting the world's worst passwords after the online tat bazaar was found accepting the most common and weakest passwords in contravention to its stated policy. eBay has been slowly asking its users to reset account passwords after it admitted last week that unknown criminals …

COMMENTS

This topic is closed for new posts.
  1. silent_count

    Is it just me...

    ... who finds it curious that ebay is being all cagey about their "proprietary" hashing algorithm? I suspect they're trying to hide behind "proprietary" so that hopefully (from their perspective) nobody discovers that their hashing routine is just as crap as their ability to securely handle their other customer info.

    1. John H Woods

      Re: Is it just me...

      Indeed - the very first thing you learn when you start to understand cryptographic techniques is that you will never* be good enough to roll your own.

      *obviously there's always a slim chance that you are a maths genius in their twenties, and maybe you will have a contribution to make in a decade or two

    2. Sir Alien

      Re: Is it just me...

      Or "proprietary" is simply another term for "we don't want to admit storing plain text/weak passwords"

      I know of one game company that will not accept any non-alpha numeric characters in their passwords which seems to raise the suspicions of them storing plain text.

      SA

      1. Steve Graham

        Re: Is it just me...

        ...plus a limit of 20-characters is unneccessary unless you're actually storing them for your millions of customers.

        Another worry about "proprietary" implementations is that when I changed my password on PayPal (also 20-chars max) and used a character outside the 7-bit ASCII range, I was told that I could not have "an accent" in my password. Actually it was a symbol, but a hashing algorithm shouldn't care, right?

    3. Anonymous Coward
      Anonymous Coward

      Re: Is it just me...

      One wonders if a FOI request would be enough to compel them to reveal their encryption/hashing system????

      1. James Gwinnett

        Re: Is it just me...

        ebay isn't a government department so they'd laugh at your FOI request and file it with the rest of the emails they don't care about - say, in their general customer support inbox.

  2. Destroy All Monsters Silver badge
    Thumb Down

    Coder Kidz writing code under supervision of Suits ...

    ....then both falling down stairs.

    We need a "Film at 11" icon.

  3. The Dark Lord

    eBay PR

    Based on the tweet exchange I had with them, I'm not sure whether eBay's staffers would pass a Turing Test.

    They seemed unable to cope with the notion that the security of the user database was not dependent upon the newness of passwords contained therein, just kept repeating the "it's important for security to change your password" mantra.

    Clearly, we can only assume that eBay itself has no confidence in the encryption mechanism used to store users' passwords. One could hope that the ICO will use this as an opportunity to gain some tax receipts from an obfuscated multinational, but I doubt that they have even the strength of will to achieve that, much less be a force for change in the security landscape.

  4. Pascal Monett Silver badge

    A half-million in fines ? Who cares ?

    The real hit is going to be in consumer confidence. Hopefully it will cost them a lot more than that.

    1. Crazy Operations Guy

      Re: A half-million in fines ? Who cares ?

      Most consumers are idiots (especially on eBay) they'll forget about this the second a celebrity does something (such as saying something stupid or even just existing).

  5. Anonymous Coward
    Anonymous Coward

    "The company could face fines of up to £500,000 from the Information Commissioner's Office."

    But we all know bloody well it won't - a stern word of admonishment is about as tough as its likely to get. Fines far bigger than 500k should be automatic for companies of Ebay's size who are caught storing customer details unencrypted. There really is no excuse at all not to.

  6. Anonymous Coward
    Anonymous Coward

    eBay and password problems

    I changed my password a few months ago, before the latest eBay security crises, when I noticed that it wasn't case sensitive, i.e. I could type my password in capitals, lower-case or any combination of both and still successfully login. What's up with that?!?!

    1. Mad Chaz

      Re: eBay and password problems

      It's called a crapy `all case the same` plain text comparison.

      In other words, they don't encrypt passwords or they don't do it right.

      1. Anonymous Coward
        Anonymous Coward

        Re: eBay and password problems

        or they know the average IQ of their users and realise the number of complaints they'd get because users had inadvertently got caps-lock on.

        So the passwords are stored and compared as:

        hash( strtolower( $password ) )

        (or equivalent)

  7. Donut4000
    WTF?

    20 char limit?

    That's weird - when I changed my eBay password last week after the snafu, I used the password generator in 1Password to produce a 50 char alpha-numeric and non-pronouncable string that was accepted without fuss. I see from the articles screen grab that indeed 20 characters is a no-no.

    1. Sir Alien

      Re: 20 char limit?

      Who knows... maybe they simply truncate your password so when it gets spat out the other end it is only 10 characters. And then someone accidentally took that feature out and BAM, error.

      ICO probably like most say, will do nothing about it yet strange thing is the little guy in the same position would be in prison, fined a million pounds and lashed in public (ok the last one is a bit of drama added)

      1. Anonymous Coward
        Anonymous Coward

        Re: 20 char limit?

        It amazes me the number of sites that make no mention of what their rules on password length and allowed character types actually are, leaving you to guess. The 'better' version at least tells you its too long or only alpha numerics are allowed, far too many allow it, then lock you out.

        The variety MS uses on Onedrive suggests using letter and numbers up to 16 chars, then calls your randomised password crap whatever it is. But it does actually allow symbols (I suppose it might strip them) but still won't rate your password any better if it has them.

        Smaller sites seem to be much better at laying out their policy explicitly, but only a fraction of large ones get it right. Not exactly taxing to get someone to spend an hour writing it out, is it?

  8. Busby

    Why aren't the ICO fines capped on a per user basis. Say at 10k per user and if you really mess up that is the maximum you would face. At least then these massive corps may take security seriously.

    Unless the fine is set per user/customer exposed then Ebay Google etal can afford to ignore security safe in the knowledge any fine will be peanuts

  9. Crazy Operations Guy

    So many stupid pssword restrictions.

    A proper hashing algorithm is just going to digest the password and turn it into a fixed-length string of hex characters. It shouldn't matter what or how much you cram into the password field. The hashing algorithm should just see the password as a series of bits, nothing more.

    Whenever I see restrictions like this, it just screams "here be exploits!" and far too many times I find that the site is vulnerable to even the simplest of SQL injection attacks.

  10. TopOnePercent
    Thumb Down

    ICO are worthless

    They're just a tick box exercise so the government have delegated responsibility to someone.

    I've had various arms of the public sector wilfully breach the DPA in the past, and when reported to the ICO, they simply laughed it off. "We've written to <insert hopeless gov dept here> and reminded them of their responsibilities under the DPA".... well, yeah, but I'd already done that prior to raising the complaint.

    The only way the DPA will be taken seriously is with large mandatory penalties and enforced dismissals of those responsible. Anything else is tinkering around the edges of a system that doesn't work.

    1. Michael Dunn

      Re: ICO are worthless

      The enforced dismissals is the clincher; responsibility doesn't stop at the clerk/office worker actually making the mistake, they have supervisors and setters of security policy.

      A local authority justt laughs at a fine: therre are plenty of taxpayers! Start sacking officers and managers, and you could 'concentrate their minds.'

This topic is closed for new posts.

Other stories you might like

  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • OpenSea phishing threat after rogue insider leaks customer email addresses
    Worse, imagine someone finding out you bought one of its NFTs

    The choppy waters continue at OpenSea, whose security boss this week disclosed the NFT marketplace suffered an insider attack that could lead to hundreds of thousands of people fending off phishing attempts.

    An employee of OpenSea's email delivery vendor Customer.io "misused" their access to download and share OpenSea users' and newsletter subscribers' email addresses "with an unauthorized external party," Head of Security Cory Hardman warned on Wednesday. 

    "If you have shared your email with OpenSea in the past, you should assume you were impacted," Hardman continued. 

    Continue reading
  • California state's gun control websites expose personal data
    And some of it may have been leaked on social media

    A California state website exposed the personal details of anyone who applied for concealed-carry weapons (CCW) permits between 2011 and 2021.

    According to the California Department of Justice, the blunder happened earlier this week when the US state's Firearms Dashboard Portal was overhauled.

    In addition to that portal, data was exposed on several other online dashboards provided the state, including: Assault Weapon Registry, Handguns Certified for Sale, Dealer Record of Sale, Firearm Safety Certificate, and Gun Violence Restraining Order dashboards. 

    Continue reading
  • AMD targeted by RansomHouse, attackers claim to have '450Gb' in stolen data
    Relative cybercrime newbies not clear on whether they're alleging to have gigabits or gigabytes of chip biz files

    If claims hold true, AMD has been targeted by the extortion group RansomHouse, which says it is sitting on a trove of data stolen from the processor designer following an alleged security breach earlier this year.

    RansomHouse says it obtained the files from an intrusion into AMD's network on January 5, 2022, and that this isn't material from a previous leak of its intellectual property.

    This relatively new crew also says it doesn't breach the security of systems itself, nor develop or use ransomware. Instead, it acts as a "mediator" between attackers and victims to ensure payment is made for purloined data.

    Continue reading
  • Carnival Cruises torpedoed by US states, agrees to pay $6m after wave of cyberattacks
    Now those are some phishing boats

    Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyberattacks.

    A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based biz revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.

    It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading
  • There are 24.6 billion pairs of credentials for sale on dark web
    Plus: Citrix ASM has some really bad bugs, and more

    In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.

    Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. 

    Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.

    Continue reading
  • Elasticsearch server with no password or encryption leaks a million records
    POS and online ordering vendor StoreHub offered free Asian info takeaways

    Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.

    Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.

    StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.

    Continue reading
  • Another ex-eBay exec admits cyberstalking web souk critics
    David Harville is seventh to cop to harassment campaign

    David Harville, eBay's former director of global resiliency, pleaded guilty this week to five felony counts of participating in a plan to harass and intimidate journalists who were critical of the online auction business.

    Harville is the last of seven former eBay employees/contractors charged by the US Justice Department to have admitted participating in a 2019 cyberstalking campaign to silence Ina and David Steiner, who publish the web newsletter and website EcommerceBytes.

    Former eBay employees/contractors Philip Cooke, Brian Gilbert, Stephanie Popp, Veronica Zea, and Stephanie Stockwell previously pleaded guilty. Cooke last July was sentenced to 18 months behind bars. Gilbert, Popp, Zea and Stockwell are currently awaiting sentencing.

    Continue reading
  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading

Biting the hand that feeds IT © 1998–2022