eBay Insecurities
September 2007 has been a poor month for Ebay with a couple of security issues reported.
In the middle of the month, it was reported that two scripts existed which used a security hole within the Paypal API to obtain some personal account details of eBay members by fake second chance offers.
Later on in the month on the 25th an attacker known as Vladuz posted to the eBay trust and safety board, personal details of about 1200 members including credit card numbers and CVV. EBay has denied the credit card information is valid, though third parties have disagreed with this statement.
More information on this incident below:-
http://www.auctionbytes.com/cab/abn/y07/m09/i25/s00
http://www.ebaymotorssucks.com/vladuz-is-back-again.htm
And now earlier today on the 27th, another security hole was found which disclosed member postcode information to all and sundry. By simply adding an auction number to a public script on a Korean eBay website, postcodes and other information on the winners and bidders of public auctions were displayed without any form of authentication. This script used an eBay API that is documented on eBay’s site, the hole was mentioned on the ebay.co.uk messageboard and the post later deleted.
My concern with all the above is the public nature of the Paypal API, anyone can explore and develop applications based on the Paypal API without registration. Is it responsible for a financial service provider to allow all to view its API?. I don’t believe so, especially in light of all the above.
Developer discussions are open, and require no registration at all:-
http://www.paypaldeveloper.com/pdn/board?board.id=api
https://www.paypal.com/IntegrationCenter/ic_documentation.html
An example call is:-
http://www.paypaldeveloper.com/pdn/board/message?board.id=api&message.id=2429
In the middle of the month, it was reported that two scripts existed which used a security hole within the Paypal API to obtain some personal account details of eBay members by fake second chance offers.
Later on in the month on the 25th an attacker known as Vladuz posted to the eBay trust and safety board, personal details of about 1200 members including credit card numbers and CVV. EBay has denied the credit card information is valid, though third parties have disagreed with this statement.
More information on this incident below:-
http://www.auctionbytes.com/cab/abn/y07/m09/i25/s00
http://www.ebaymotorssucks.com/vladuz-is-back-again.htm
And now earlier today on the 27th, another security hole was found which disclosed member postcode information to all and sundry. By simply adding an auction number to a public script on a Korean eBay website, postcodes and other information on the winners and bidders of public auctions were displayed without any form of authentication. This script used an eBay API that is documented on eBay’s site, the hole was mentioned on the ebay.co.uk messageboard and the post later deleted.
My concern with all the above is the public nature of the Paypal API, anyone can explore and develop applications based on the Paypal API without registration. Is it responsible for a financial service provider to allow all to view its API?. I don’t believe so, especially in light of all the above.
Developer discussions are open, and require no registration at all:-
http://www.paypaldeveloper.com/pdn/board?board.id=api
https://www.paypal.com/IntegrationCenter/ic_documentation.html
An example call is:-
http://www.paypaldeveloper.com/pdn/board/message?board.id=api&message.id=2429
0 Comments:
Post a Comment
<< Home