|Sun June 1 2014 12:36:43|
New eBay Vulnerability Exposed Sensitive User Data
By: Ina Steiner
eBay's Director of Community inadvertently exposed sensitive seller data on his profile page without sellers' knowledge thanks to a feature on the Lithium-powered discussion boards. eBay users may also be unaware that images sent privately to other users through the eBay community messaging system may be displayed to anyone viewing their profile page.
eBay was unaware of the vulnerability until contacted by EcommerceBytes.
In one case, a Top Rated Seller had asked the eBay director Jeff Terrell how it was possible that under the new seller standards coming in August he would lose that status - "my question is, am I really a "top rated seller" or a subpar seller driving customers away from eBay? Which is it and how could eBay have misclassified me so wrong under one of these methods?"
Terrell responded, "I can't talk about your individual case on a public forum, but I will send you a message by PM." But the image he sent to the seller privately along with the message became publicly viewable in the image gallery on Terrell's profile page.
The image contained the seller's name, user ID, and detailed information about feedback, Detailed Seller Ratings, Defect Rates, number of Open Cases, number of returns for Items Not as Described, number of Cancelled Transactions, along with statistics about claims and tracking.
(And sure enough, the screenshot showed that under the "Current Seller Level," he was identified as "Top Rated," but under "Projected Seller Level," the seller was rated "Below Standard.")
I asked eBay on Friday what caused images sent privately to become public.
eBay spokesperson Madeline Chadwick said, "At the request of three eBay customers, we ran preliminary reports for their accounts to see how their current seller performance would rate against the new standards we announced in March. A few of the reports were sent in image format by private message and appeared in a public photo album. Those images have been removed and the sellers have been informed. We are taking proactive steps to prevent this type of issue from occurring in the future."
But the issue doesn't just impact Terrell and the three customers whose data he exposed. Like Terrell, other users are unaware that an image they send to another member through eBay's community pages may appear in public albums on their eBay community profile pages.
eBay switched to Lithium last year after using Live World to power its discussion boards for many years. eBay is planning another overhaul to its community boards this month.
If you've sent images to eBay members via the forum's private messenger feature, check to see if they've been made public. Clicking on your user name in the eBay discussion boards takes you to your profile page where your images and albums can be found.
After our inquiry, eBay removed all images from Terrell's profile (he goes by the name of Jeff when posting on the boards), but it's not clear from eBay's response that they understand the full ramifications of this issue and will plug the hole. Nor is it clear whether they will communicate with all buyers and sellers who have used the Private Messenger service in order to make them aware of the issue.
The criminals who breached the eBay corporate network recently did so by gaining access to eBay employees' credentials. This latest incident shows how someone at the Director level can unwittingly expose private user data.