Ebay Takes Action To Plug Password Hole

[InfoSec News <isn () c4i org>]

http://www.newsbytes.com/news/02/175614.html

By Brian McWilliams, Newsbytes
SAN JOSE, CALIFORNIA, U.S.A.,
02 Apr 2002, 10:27 PM CST
 
Responding to a report of a severe security flaw, Ebay [NASDAQ:EBAY]
has temporarily disabled a system at its online auction site for
changing user passwords.

Ebay spokesman Kevin Pursglove said the firm took the action to
prevent criminals exploiting a vulnerability in the site's
authentication system that potentially enabled attackers to steal Ebay
users' accounts.
 
"This is a temporary solution until we can address the issue. We now
have to begin a process," said Pursglove.

The flaw, reported to Ebay last week by a Canadian security expert,
gave attackers the ability to easily change the password of nearly any
Ebay user, as long as the attacker knew the victim's user ID.

According to the expert, who identified himself only by his alias,
"Null," the security hole at Ebay potentially allowed attackers to
modify victims' auctions and bids.

"It's good to hear Ebay is taking steps to solve this problem," Null
said in an interview this evening.

In a document submitted to Ebay Friday, Null detailed how the
company's authentication system, which involved the use of a "hash" of
numbers and letters in the source code of its password pages, could be
subverted.

By cutting and pasting the special string of data from one page at the
site to another, an attacker could bypass Ebay's requirement that
users must be logged in before they can change their passwords, the
document said.

Using a test Ebay account, Newsbytes confirmed that the technique
enabled an unauthenticated user to reset another user's password.

When initially notified of the security issue Friday, Pursglove told
Newsbytes that the company was already aware of the scenario and had
no immediate plans to correct the flaw.

Pursglove acknowledged this afternoon that the vulnerability
identified by Null was new and was being fully investigated by Ebay.

Using the "view source" option in his Web browser, Null discovered
that Ebay was hiding a hashed version of the Ebay customer's user ID
in the HTML code of a page for requesting a password hint.

It was still possible this evening to force Ebay's system to generate
the "hash" corresponding to any user's ID. But the second step of the
attack, which included inserting the hash into a page for changing the
user's password, failed and generated an "Input Error" message.

An announcement board at Ebay's site this evening warned customers
that the password change function was unavailable and that the company
was working to correct the situation.

Pursglove acknowledged that, in recent weeks, "a very small number" of
Ebay users have been locked out of their accounts by scam artists who
post fraudulent auctions in their names and rip off other Ebay
customers.

Ebay believes that some user accounts have recently been compromised
by criminals using "cracking" programs that attempt to guess or "brute
force" users' passwords. In addition, fraud artists have in the past
created bogus sites designed to trick Ebay users into divulging their
user IDs and passwords, Pursglove said.

According to Ebay, the technique discovered by Null would not enable
attackers to access victims' credit card numbers, although it would
allow them to view the user's credit card transaction history.

As a deterrent to fraud, Ebay previously e-mailed a notification to
users when their passwords had been changed. The automatically
generated message included the Internet protocol address of the
computer used to reset the password.

A review of Ebay's Billpoint site indicated that the password
vulnerability identified by Null did not appear to affect the
electronic payment service.

Ebay is at http://www.ebay.com

Billpoint is at http://www.billpoint.com



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.