eBay Leakage identified:
Data received by PayPal

Geändert am 12.09.2007
This article is a translation of the follow-up of the press information „Security loophole on eBay“ from Sep 09 2007.

After publishing the security loophole at eBay throughout the international press, the original program code* of the two scripts used by the fraudsters has been passed to the team of falle-internet.de .
An analysis of the scripts by experts of falle-internet.de shows, that the security leak is not contained with ebay as it has been supposed. But the criminals must have been taking advantage of a leak at eBays company PayPal.

There are two scrtipts, wich fit perfectly well into each other. Her are the details:
Phase 1: Sending Emails to the Bidders
The purpose of the first script was to test the bidders of an already choosen auction for their fitness as victims and to send them an email containing a second chance offer.
This is the first script, wich has been called by the cyber-criminals and had to be feeded with article numbers:
After the input of article numbers, the script called eBay's corresponding bidder list, extracting their account names and bidding amounts:


After that, the account names were used by a confidential but not secured call of a website at paypal.com, delivering the corresponding email accounts, and using them to send a fake second chance offer to the bidder if his bid exceeded 90 Euros.
An email could look like this:


A soon as the fraudulent emails were on their way, the caller of the script got this in return:


Phase 2: Payment Request
By clicking the Buy-It-Now Button of the email, the containing weblink opened the browser calling the second script on a webserver:


The second online script opened a fake payment checkout website, where the interested bidders were asked to place a payment over their bid through Western Union to one of two payees in London. The data used by the script for filling in the auction title, bid and item number were handed over within the script-calling URL, thus avoiding a contact with eBay. Indeed, the email adress and the location with zip code and another detail were presented - the last supposed to have been mixed up with the street by mistake.
These data were obtained via a security hole with PayPal.
Into the Core
The Core of both scripts - and a lot of similar scripts as it is supposed - is the usage of this site call:

$url = file_get_contents('http://www.paypal.com/cgi-xxx/ webscr?cmd=_exxy-intxxxxxed-regxxxxxxion&link=0&NBO=1 &ebay_id=' .$_GET[buyer]);

This (partly obfuscated) code shows that it calls a program module cgi-xxx/webscr hosted at paypal.com for receiving eBay-member data for the specified buyer.
Thus the data provider for email and adress data has not been a PayPal data base, but the data base of eBay itself, as it has been reported. This can be concluded without any doubt by the fact, that even ebay members with no connection to PayPal received the fraudulent offers containing correct data sets. In other words: The cyber criminals could avail themselfs via roundabout Paypal from the data base of eBay for some time past, and andisturbed. Only the massive use of the automatic scripts and the sending of offers even to non-Paypal-customers has revealed this connections.
This is worrying in two ways:
  • PayPal obtained a [european] bank licence. A security leak allowing unautorised access to user data can not be acceptable occuring at a bank.
  • Would PayPal have been allowed to have access to the data picked up by the criminals? Even data of eBay-members that were not registered with PayPal could be obtained by the leak. Obviously the PayPal server had direct access to the eBay data. It might be found doubtfully, wether it is coverd by eBay's privacy policy or if it might be a infringement against privacy law.
This leads to the question, who else beside PayPal possibly obtained unrestricted access on eBay's data base in such way, and what eBay thinks it can do to prevent security holes of third party suppliers becoming security leaks at eBay.