Interesting People mailing list archives
IP: ebay sends passwords in the clear
From: Dave Farber <farber () cis upenn edu>
Date: Sun, 20 Feb 2000 17:44:06 -0500
X-Mailer: exmh version 2.0.2 2/24/98 Subject: fyi: ebay sends passwords in the clear To: Dave Farber <farber () cis upenn edu>, Phil Agre <pagre () alpha oac ucla edu> cc: Jeff.Hodges () stanford edu Reply-to: Jeff.Hodges () stanford edu From: Jeff.Hodges () stanford edu Date: Sun, 20 Feb 2000 14:36:56 -0800 disclaimer: I have not used Fromm's tool to verify his claims. JeffH ------- Forwarded Message Approved-By: aleph1 () SECURITYFOCUS COM Delivered-To: bugtraq () lists securityfocus com Date: Wed, 16 Feb 2000 11:03:17 -0800 Reply-To: rfromm () cs berkeley edu Sender: Bugtraq List <BUGTRAQ () SECURITYFOCUS COM> To: BUGTRAQ () SECURITYFOCUS COM From: Richard Fromm <rfromm () cs berkeley edu> Subject: ebay sends passwords in the clear Not as bad as not encrypting credit card numbers (they do encrypt that), but for some reason ebay doesn't bother to encrypt passwords. While they're certainly not the only web site doing this, I consider this a bit more serious than a website where one's password just holds personal preferences. Listing items for sale or bidding on items on ebay is allegedly entering into a legally binding contract (although I don't know if this has ever been tested in a court of law). So if someone sniffs my password he/she has the ability to misrepresent my identity in such a way that I could potentially be financially liable. I've been trying to get ebay to do something about this for a month and a half, to no avail. See http://avocado.dhs.org/ebpd/ for details, including an ebay password sniffer. - - Richard Fromm rfromm () cs berkeley edu ------- End of Forwarded Message
Current thread:
- IP: ebay sends passwords in the clear Dave Farber (Feb 20)