A researcher reported a security flaw to eBay that would have enabled fraudsters to steal its members’ credentials, according to Motherboard, which wrote about the vulnerability on Monday.
The publication said eBay confirmed it received the report on December 11th but didn’t patch the bug due to a communication breakdown until Motherboard contacted eBay last week.
“The researcher, who goes by the name MLT, said anyone could have taken advantage of the bug to target individual eBay users and take over their accounts, or harvest thousands, if not millions, of users credentials by sending phishing carefully crafted emails to eBay users.”
The researcher and eBay both told Motherboard on Monday that the bug was patched. The publication said it didn’t appear that anyone exploited the flaw in the open, “although it’s possible that someone else other than MLT found the bug and used it for malicious purposes.”
eBay had sent a mass email to users in December warning users to update their personal information, which prompted some recipients to worry that there had been another breach like the one in 2014 that prompted eBay to send a mass warning to users.
eBay didn’t respond to our inquiry about the December 31st mailing, described in this article, where we noted the strange timing of such an email as many staff were off for the New Year’s holiday and thus unable to answer questions about the worrisome email.