IP: ebay sends passwords in the clear

[Dave Farber <farber () cis upenn edu>]

> X-Mailer: exmh version 2.0.2 2/24/98
> Subject: fyi: ebay sends passwords in the clear
> To: Dave Farber <farber () cis upenn edu>, Phil Agre <pagre () alpha oac ucla edu>
> cc: Jeff.Hodges () stanford edu
> Reply-to: Jeff.Hodges () stanford edu
> From: Jeff.Hodges () stanford edu
> Date: Sun, 20 Feb 2000 14:36:56 -0800
>
> disclaimer: I have not used Fromm's tool to verify his claims.
>
> JeffH
>
> ------- Forwarded Message
>
> Approved-By: aleph1 () SECURITYFOCUS COM
> Delivered-To: bugtraq () lists securityfocus com
> Date:         Wed, 16 Feb 2000 11:03:17 -0800
> Reply-To: rfromm () cs berkeley edu
> Sender: Bugtraq List <BUGTRAQ () SECURITYFOCUS COM>
> To: BUGTRAQ () SECURITYFOCUS COM
> From: Richard Fromm <rfromm () cs berkeley edu>
> Subject:      ebay sends passwords in the clear
>
> Not as bad as not encrypting credit card numbers (they do encrypt that), but
> for some reason ebay doesn't bother to encrypt passwords.
>
> While they're certainly not the only web site doing this, I consider this a
> bit more serious than a website where one's password just holds personal
> preferences.  Listing items for sale or bidding on items on ebay is allegedly
> entering into a legally binding contract (although I don't know if this has
> ever been tested in a court of law).  So if someone sniffs my password he/she
> has the ability to misrepresent my identity in such a way that I could
> potentially be financially liable.
>
> I've been trying to get ebay to do something about this for a month and a
> half, to no avail.  See http://avocado.dhs.org/ebpd/ for details, including an
> ebay password sniffer.
>
> - - Richard Fromm
> rfromm () cs berkeley edu
>
> ------- End of Forwarded Message