Security loophole on eBay
Criminals have free access to the internal eBay-database and are able to discover user files
Geändert am 10.09.2007
Translation of an article published by falle-internet.de, a non-profit-organisation fighting cybercrime.
Red alert at eBay.de. Members of eBay discover that cyber-criminals can read out their basic data. They receive direct fake Second Chance Offers on their email-account and were redirected to a fake payment checkout page with a form with their own postal code and adress allready filled in.
Everyone who is able to find this webpage, can use them. No matter, if he is a criminal, or someone else - like a member of falle-internet.de who tested them for demonstration purposes only.
It seems that this data source is known by different groups of fraudsters, because they are seemingly in a competition. Even if the auctions are still running eBay-members are getting those fraudulent emails. This is very bad for the sellers, because they might loose customers. Soon after a high bid, the bidders get a bunch of fake "BuyIt-Now"-mails, from everywhere around the world. In different languages scammers try to bait the bidders to anticipate their scamming concurrents. There has to be a direct access to the eBay database, because even the data of freshly registered accounts are instantly accessable. Tests show, that the managenment from eBay.de itself is not protected from these readout action:
Dr. Stefan Groß-Selbeck, Geschäftsführer Deutschland (CEO ebay.de), can possibly receive this fraudulent offer containing his (non-public) adress wich is deposited in his eBay-account. The offers differ in their looks, depending of the origin sent from.
The data inquiry and the sending of the emails are done automatically by a special script. After filling in an item number in a form and pressing the START button, the script shows what it has done:
Nine out of eleven bidders will get email, the remainig two will not. Their bids were to low, as the software announces. The bidders email adresses are shown and might be stored for further usage.
The comparison with the items bidding list demonstrates how perfect the script works.
The bidders are asked to „Buy It Now“ in this fraudulent offer. After doing so, a faked eBay webpage opens ...
Accepting by a click on the button, you are forwarded to a payment checkout.
The shipping adress is filled in already. Private data - email adress and city are the same stored with eBay and were read out from the eBay data base simultaneously.