Email This Post Email This Post

eBay Accounts Breached through Live Chat Vulnerability

eBay sellers in the UK are reporting a security breach that requires no hacking or programming skills whatsoever. In fact, it’s shockingly simple and potentially devastating to victims of anyone wanting to launch a malicious attack against them. On the other hand, sellers say they have discovered it also provides an easy way to get negative feedback removed from their account.

How It Works
Simply go to eBay.co.uk’s live chat and initiate a session; type in any User ID in the form, and the live-agent customer service rep will help you with any matter relating to the account of the User ID you enter into the form, not your own account. No password or other information is required – simply a User ID.

We’ve verified this for ourselves. Despite being logged in to eBay under our own account, when I entered a different User ID on the live-chat form, the eBay rep provided answers to my questions for that other user’s account.

When I asked which email address the transcript would be sent to (thinking it would be my own email address, since I was signed into eBay), the agent provided me with the email address of the account whose User ID I had entered into the form. It was the account of an active seller who had been registered with eBay since 2002.

Sellers Have Reported Breach to eBay
A seller who informed EcommerceBytes of the breach said she tested it by having an eBay rep make changes to an old business account she owned when signed in with her current account. “I used a laptop that had never been used to access the (old) account, and a different router in a location that I’d never used to access it. I can think of nothing that would verify that I was the genuine account holder. I could discuss this account and make changes to it without logging in.”

Sponsored Link

She also said she knew of cases where sellers had used some of their buyers’ User IDs and requested eBay to remove negative feedback on their selling account, telling the live agent they had left the negative feedback ratings in error. “This too has been tried and tested.”

Another eBay seller wrote to us, echoing the concerns of the first seller. “The only way the targeted victim is aware that this has happened is if they receive the email notification and there is now a concern that eBay may have stopped the emails, so the victim has no way of knowing if they’ve been used and abused.”

The seller said he did not believe eBay was taking data protection seriously. “So far the silence from eBay over this loophole is deafening and more than a little worrying.”

We first wrote about something fishy going on with eBay Live Chat accounts in Monday’s EcommerceBytes newsletter after reports that posters on eBay’s discussion board were being impersonated. We had sent an inquiry to eBay on Sunday morning to ask what the issue could be, with no response.

Once we learned of the nature of the vulnerability, we sent an inquiry to eBay on Tuesday asking them if it was aware of the privacy breach that lets anyone access another users’ account via Live Chat, and we asked for more information about the reported incidents.

eBay spokesperson Ryan Moore responded to our inquiry with the following emailed statement:

Protecting our customers’ information is of the highest importance. We enforce a multi-layered verification policy that requires customers contacting us through phone, chat or email to be properly authenticated before providing them with support on their account. Social engineering is a risk to any business that offers customer service and we have built our verification and account maintenance policies with this in mind. We have looked carefully at what has been reported and have taken corrective action. Likewise, we have communicated to all of our customer service representatives the importance of strictly adhering to our multi-layer authentication process.

What Now?
We emailed and left a message for Moore asking if eBay planned to notify all users who’ve had a live-chat session that their accounts may have been breached, what multi-layered verification actually meant, and if the live-chat vulnerability was isolated to the eBay UK live chat feature. (He has not responded.)

After receiving Moore’s sole response on Tuesday evening, we tried to initiate a live chat session on eBay UK, but it was outside of normal operating hours.

Comment on the EcommerceBytes Blog.

Ina Steiner on EmailIna Steiner on LinkedinIna Steiner on Twitter
Ina Steiner
Ina Steiner
Ina Steiner is co-founder and Editor of EcommerceBytes and has been reporting on ecommerce since 1999. She's a widely cited authority on marketplace selling and is author of "Turn eBay Data Into Dollars" (McGraw-Hill 2006). Her blog was featured in the book, "Blogging Heroes" (Wiley 2008). Follow her on Twitter at @ecommercebytes and send news tips to ina@ecommercebytes.com.