Ina Steiner EcommerceBytes Blog
News and insight focusing on ecommerce.
by Ina Steiner, Editor of EcommerceBytes.com
Sun June 1 2014 12:36:43

New eBay Vulnerability Exposed Sensitive User Data

By: Ina Steiner

Sponsored Link

eBay's Director of Community inadvertently exposed sensitive seller data on his profile page without sellers' knowledge thanks to a feature on the Lithium-powered discussion boards. eBay users may also be unaware that images sent privately to other users through the eBay community messaging system may be displayed to anyone viewing their profile page.

eBay was unaware of the vulnerability until contacted by EcommerceBytes.

In one case, a Top Rated Seller had asked the eBay director Jeff Terrell how it was possible that under the new seller standards coming in August he would lose that status - "my question is, am I really a "top rated seller" or a subpar seller driving customers away from eBay? Which is it and how could eBay have misclassified me so wrong under one of these methods?"

Terrell responded, "I can't talk about your individual case on a public forum, but I will send you a message by PM." But the image he sent to the seller privately along with the message became publicly viewable in the image gallery on Terrell's profile page.



The image contained the seller's name, user ID, and detailed information about feedback, Detailed Seller Ratings, Defect Rates, number of Open Cases, number of returns for Items Not as Described, number of Cancelled Transactions, along with statistics about claims and tracking.

(And sure enough, the screenshot showed that under the "Current Seller Level," he was identified as "Top Rated," but under "Projected Seller Level," the seller was rated "Below Standard.")

I asked eBay on Friday what caused images sent privately to become public.

eBay spokesperson Madeline Chadwick said, "At the request of three eBay customers, we ran preliminary reports for their accounts to see how their current seller performance would rate against the new standards we announced in March.  A few of the reports were sent in image format by private message and appeared in a public photo album. Those images have been removed and the sellers have been informed. We are taking proactive steps to prevent this type of issue from occurring in the future."

But the issue doesn't just impact Terrell and the three customers whose data he exposed. Like Terrell, other users are unaware that an image they send to another member through eBay's community pages may appear in public albums on their eBay community profile pages.

eBay switched to Lithium last year after using Live World to power its discussion boards for many years. eBay is planning another overhaul to its community boards this month.

If you've sent images to eBay members via the forum's private messenger feature, check to see if they've been made public. Clicking on your user name in the eBay discussion boards takes you to your profile page where your images and albums can be found.

After our inquiry, eBay removed all images from Terrell's profile (he goes by the name of Jeff when posting on the boards), but it's not clear from eBay's response that they understand the full ramifications of this issue and will plug the hole. Nor is it clear whether they will communicate with all buyers and sellers who have used the Private Messenger service in order to make them aware of the issue.

The criminals who breached the eBay corporate network recently did so by gaining access to eBay employees' credentials. This latest incident shows how someone at the Director level can unwittingly expose private user data.




Comments (43) | Leave Comment | Permalink

Readers Comments

Perminate Link for New eBay Vulnerability Exposed Sensitive User Data   New eBay Vulnerability Exposed Sensitive User Data

This user has validated their user name. by: Puck

Sun Jun 1 14:07:52 2014

eBay executives, no longer satisfied with shooting themselves on the foot. decide to blow off sellers' toes.

eBay management - The Gang That Couldn't Shoot Straight.

Perminate Link for New eBay Vulnerability Exposed Sensitive User Data   New eBay Vulnerability Exposed Sensitive User Data

by: Orwellwasright This user has validated their user name.

Sun Jun 1 14:32:26 2014


Its too bad..
The seller should have known better then to contact ebay in the first place

By now, any seller who has not figured out ebay is deliberatly diminishing the seller base in order to funnel sales to their prefered partners is a fool.....
PERIOD!

How can a hard working, ethical outstanding seller drop from top rated to below standard? BY DESIGN STUPID!!!!!!!!!!!!!!!!!

sINCE THE NET EFFECT OF EBAYS LATEST SELLER ATTACK IS THAT THOUSANDS OF SELLERS BUSINESS'S ARE GOING TO BE DESTROYED THE LOGICAL CONCLUSION IS THAT IS THEIR INTENT

SHEEESH !!
WISE UP
GROW UP

ABANDON YOUR ABUSERS

For the first time in 14 years i have nothing listed on ebay

FOURTEEN YEARS I invested with these B*****D's

I moved on, you should to


Perminate Link for New eBay Vulnerability Exposed Sensitive User Data   New eBay Vulnerability Exposed Sensitive User Data

by: froggie This user has validated their user name.

Sun Jun 1 14:37:17 2014

Just when you think that things couldn't possibly get worse, they do. And what, pray tell, are they doing about the XSS vulnerability?

http://www.pcworld.com/article/2241305/latest-eb
ay-flaw-is-a-rookie-mistake-for-a-website.html

Not
news to many of us, but how many new buyers and sellers know that their accounts can easily be hacked by the cross site scripting flaw in eBay's coding?

Perminate Link for New eBay Vulnerability Exposed Sensitive User Data   New eBay Vulnerability Exposed Sensitive User Data

This user has validated their user name. by: Ming the Merciless

Sun Jun 1 14:47:09 2014

The list of ebay's defects is a mile long and getting longer.

A British citizen discovered another major flaw just last week which ebay failed to announce.

The CEO of ValueWatch had his PayPal account hacked last week -- his PayPal password was the same as his ebay password. While there was a bad idea on his part, the PayPal hack likely came as a result of the ebay hack.

The "flawed" coding should tell everyone including the Wall Street ostriches that ebay simply doesn't want to expend the resources necessary to create a safe trading environment and demonstrates their complete disrespect and contempt for their customers.

Ebay had better clean up its many, many, many defects before using this greedy but insane idea against sellers.

If not watch the lawsuits fly.

Pierre, wake up. The Ho is killing and may have already killed your golden goose.

Perminate Link for New eBay Vulnerability Exposed Sensitive User Data   New eBay Vulnerability Exposed Sensitive User Data

by: gramophone-georg This user has validated their user name.

Sun Jun 1 14:54:02 2014

This is a frightening yet oh-so- classic example of the arrogant incompetence that is eBay. If there is ONE PERSON in eBay management who has positively NO EXCUSE not to know how their hired forum framework functions, it should be Jeff Terrell as ''Director'' of the eBay Community- yet, incredibly, he is the VERY PERSON at the center of this latest little flap.

With this sort of bumbling incompetence at the very helm of the eBay Community, there is no possible way on earth or anywhere else that even the most sophisticated site security and/ or software can possibly protect users.

I saw those images, as did several other users, and what is important here is that it *appears* that what was exposed- and this is very important- was the eBay internal ''eyes only'' type seller report and NOT the typical report that a seller sees on his dashboard! The exposed reports not only contained seller personal information- they also contained what *appears* to be eBay internal code- such as a seller number- which I wouldn't be surprised if this is how eBay employees access seller accounts without needing to know individual passwords.

Even if this stuff was all encrypted- and we should all hope that it is- we need to keep in mind that hackers can hack in with even LESS information than this... AND THESE IMAGES WERE ON TERRELL'S PUBLIC PROFILE PAGE FOR WELL OVER FOUR WEEKS! I know of a few other posters on the Boards who PM'd Terrell to alert him of this, and they were either never answered, or they got a ''form'' response about something totally unrelated to their concerns. So, the weeks went by with Terrell talking down to posters on the Boards about security concerns while blissfully and serenely unaware that he was exposing potentially sensitive private information of others right in his own public profile. ONLY NOW can I understand how it took eBay months to wake up and realize that hackers had absconded with the info of 145 million users.

Jeff Terrell is the guy who has been basically pooh- pooing posters' concerns about the recent hack. He's also the architect of the whole eBay/ Lithium Community partnership... and yet he DIDN'T KNOW HOW THIS PUBLIC PROFILE PHOTO ALBUM WORKED??? Not even a clue?

All I can say is ''WOW''. eBay should take some lessons in site security from the Keystone Cops- that would be a great start on the road to improvement for them, and on a scholastic level that they *might* understand.

Perminate Link for New eBay Vulnerability Exposed Sensitive User Data   New eBay Vulnerability Exposed Sensitive User Data

by: wonderswhy This user has validated their user name.

Sun Jun 1 14:55:20 2014

Why they switched to Lithium and that cassini search is beyond me, if it works don't fix it, seems the site got worse then horrible since they changed it, maybe it was to increase profits (probably). Profits go down when your site is not safe and now with this its just a big can of worms. A company this big, paying millions of dollars to the CEO and they cannot protect it's sellers and buyers who made them. Their new message boards are filled with ebay people telling you how great they are. Nobody there was paying attention or cared, they weren't doing their jobs, they are an embarrassment.  Maybe they'll let the sellers alone now.

Perminate Link for New eBay Vulnerability Exposed Sensitive User Data   New eBay Vulnerability Exposed Sensitive User Data

by: renegade-chance This user has validated their user name.

Sun Jun 1 15:31:33 2014

It just goes to prove... ... that Jeff can be held accountable for his actions in ways you don't suspect.

If even JEFF as Director of Ebay Community does not know all the policies and features of the programs and departments he has under his director role, then how in Hades are WE, the Community or Ebay phone reps and supervisors supposed to know policy and programs inside out?

It's interesting to note that other online companies like Amazon, Etsy, Bonanza, etc. have consistent, constant policies and programs with common sense and sound business protocol... ...then why can't Ebay do the same?  

This constant change both announced and unannounced to the site in causing major problems, users are losing confidence in the platform and these users are leaving Ebay for other platforms out of fear and practicality to embrace the places where constant change does not exist that cause major and minor upheaval to their hobbies and businesses.

Perminate Link for New eBay Vulnerability Exposed Sensitive User Data   New eBay Vulnerability Exposed Sensitive User Data

This user has validated their user name. by: iheartjacksparrow

Sun Jun 1 15:51:07 2014

Just when you think eBay can't possibly screw up anything else on their site, they do! At this point, I don't know how any person, seller or buyer, could trust eBay not to ruin their professional or personal lives since some "glitch" seems to occur on a daily basis.

Perminate Link for New eBay Vulnerability Exposed Sensitive User Data   New eBay Vulnerability Exposed Sensitive User Data

by: gramophone-georg This user has validated their user name.

Sun Jun 1 16:07:17 2014

Renegade- Isn't it profoundly disturbing when the very eBay exec that personally orchestrates  forum posters getting lifetime forum bans for such ''violations'' as simply mentioning another poster's first name in a thread when responding to them is the exact same exec that gets a ''pass'' when ''inadvertently'' exposing someone's full personal ''eBay Eyes Only'' information chart FOR WEEKS in his public profile photo album?

This must be part of the ''level playing field'' we hear so much about on eBay.

Perminate Link for New eBay Vulnerability Exposed Sensitive User Data   New eBay Vulnerability Exposed Sensitive User Data

by: gramophone-georg This user has validated their user name.

Sun Jun 1 16:18:12 2014

In addition- I've been meaning to say THANK YOU, INA for running this story- it was your alert alone that got said information from said public profile removed... not that Terrell wasn't informed of it long before this, but eBay will be DAMNED if they listen to or heed any ''noise'' from their paying customers.

Perminate Link for New eBay Vulnerability Exposed Sensitive User Data   New eBay Vulnerability Exposed Sensitive User Data

by: ebay refugee camp This user has validated their user name.

Sun Jun 1 18:04:44 2014

Ebay's data that they are showing on my dashboard is completely incorrect I use ebay shipping and all of my items have tracking but not according to them, and then the number they have for tracking within handling time is incorrect also.
I understand this is the case for the majority.
Ebay is not treating sellers fairly and this is going to cause a mass exodus this fall.
This is completely unacceptable, we are their customers and we are treated horribly.
My off ebay sales continue to grow and this is certainly the case for many sellers.
Ebay exposes data, they do not care.
Ebay sales plummet they do not care.
Ebay hacked not announced for months.
The complete beating down of sellers is absolutely absurd and unacceptable. It is getting so bad that this is going to end badly for ebay.
The other venues I use are not doing this and those sales are growing.
Ebay needs to concentrate on advertising and increasing sales but they seem to be more interested in eliminating sellers from the TRS program and prompting buyers to file cases at every page you turn on ebay.
I have never seen a company so misguided in my life it is like they are deliberately doing the opposite of what should be done.
The more sellers complain the more the executives retaliate with programs that hurt instead of help.
We are just noise to these people, why? what company wants to decrease sales and alienate users?
this company is behind and barely keeping close to the natural progression to online sales from brick and mortar and yet we get more anal and quite frankly moronic programs.
Well when the next mass exodus happens that should open some eyes.
In the meantime start using other venues do it now because if you do not you are going to lose.

Perminate Link for New eBay Vulnerability Exposed Sensitive User Data   New eBay Vulnerability Exposed Sensitive User Data

This user has validated their user name. by: Ric

Sun Jun 1 18:26:32 2014

eBay's  inexperienced, incompetent, disconnected, self possessed CEO selected a team of C-Level management just like himself.


If you are wondering how the past, present and future corporate "defects" can and will continue to occur, simply reread the first paragraph for the answer.

Perminate Link for New eBay Vulnerability Exposed Sensitive User Data   New eBay Vulnerability Exposed Sensitive User Data

This user has validated their user name. by: Al G

Sun Jun 1 18:49:43 2014

''by: ebay refugee camp This user has validated their user name.
     
Sun Jun 1 18:04:44 2014
Ebay's data that they are showing on my dashboard is completely incorrect I use ebay shipping and all of my items have tracking but not according to them, and then the number they have for tracking within handling time is incorrect also.
I understand this is the case for the majority. ''

Right On Brother!

I haven't contacted eBay at this point because it probably will be futile. I'll wait until 20-Aug (the new Ides of March) & see if they got their act together - or they will kick the can down the street.

A really scary thought has come to my neurons - all of those low paid CSRs offshore have pretty much the same access as Jeff Terrell (without the ability to modify, I'd assume).

Question - is the security as tight as let's say in San Jose or Salt Lake City? Are they subject to swipe cards into the facility, are their desktops have the minimal security features of no USB/floppy disk (sorry DVD) ports to prevent someone from inserting a thumb drive & downloading ''stuff''?

Given the software problems eBay has experienced of late - the more easily hacked hardware by one well paid miscreant will do even more damage. A case in point is Edward Snowden - not paid, but able to obtain information from one of the most sensitive/secure sites in the US.

Perminate Link for New eBay Vulnerability Exposed Sensitive User Data   New eBay Vulnerability Exposed Sensitive User Data

This user has validated their user name. by: Philip Cohen
Web Site

Sun Jun 1 18:54:48 2014

No doubt much of eBay’s anti-user actions (hiding/culling of small sellers; defrauding of all buyers at auction) are deliberate; the rest is clearly due to simple incompetence, from the very top to the bottom …

When one considers the respective share prices of Amazon and eBay today it is clear that Johnny Ho has already killed the goose that laid Pierre’s golden egg. Had Pierre traded in all his eBay shares for Amazon shares in August 2007, prior to the Ho officially taking the helm, instead of his current ~$6 billion, his worth world have now been ~$32 billion; if I was Pierre I would be chasing the Ho and his team of other flightless birds around the eBay executive suite with an axe …

Still, the question remains, just how many more Thanksgiving dinners can possibly pass before Johnny Ho and the rest of his feathered friends finish up on the dining table …

eBay Inc, where the incompetent mingle with the malevolent [and the criminal] ... http://bit.ly/11F2eas

Perminate Link for New eBay Vulnerability Exposed Sensitive User Data   New eBay Vulnerability Exposed Sensitive User Data

by: NetWatch This user has validated their user name.
Web Site

Sun Jun 1 19:05:56 2014

Yet while providing abysmal security and oruging thousands of small sellers, ebay execs were paid lavish sums. Dustythings, a poster in the "New Things Happening At Ebay" thread on Seller Central (an eBay discussion board) had this to say: "I mentioned in a thread the outrageous compensation eBay execs receive. For example: the Chief Technology Officer makes $10 million annually, which is what many corporate CEOs are paid. For that kind of money eBay buyers and sellers should have the best security mechanisms money can buy. Instead, like Target, eBay execs are more concerned about preserving their bonuses.
What should also disturb you, most eBay execs appear to have recently shown up to eBay to simply feed from the trough, a trough YOU are filling. For example: why does a senior VP of Human Resources, who shows up in 2005, make $9.5 million annually (and that's not counting benefits and perks. These execs give themselves houses, luxury cars, 30 days vacation, first-class world travel on supposed work-related matters, bonuses, guaranteed employment contracts, usually 5 years, golden parachutes, matching contributions to retirement accounts, free health, dental, and vision insurance, free top-of-the-line electronics.)
For that kind of money I would expect eBay and PayPal to be some of the best run companies in the nation. Instead, eBay execs act like the government, when they need more money to fund their compensation and perks, they figuretively print more of it and increase taxes on sellers. If I were a fly on the wall I bet I would see eBay execs discussing changes with calculators in hand, figuring how much money they will personally make with every proposed move.
Anyway, if eBay and PayPal were subject to feedback and defect ratings, the public would close down both their accounts. eBay has so many black marks against it I can't keep track of them all. Heck, they even stole the BIN feature and had to settle that lawsuit for big money to keep using it on eBay.
And if eBay and PayPal were subject to the same standards as Target and the Veterans Administration, all of these top heads would be rolling out the door. And Donahoe would announce no 2014 bonuses.
But that is not going to happen. The execs appear to have insulated themselves from any responsibility for the harm they have caused to the public and in particular, eBay sellers. Heck, I think they even ratted out Carl Icahn to get him off their backs or to dish out some "retaliatory feedback," if you will."

Perminate Link for New eBay Vulnerability Exposed Sensitive User Data   New eBay Vulnerability Exposed Sensitive User Data

This user has validated their user name. by: Puck

Sun Jun 1 19:29:47 2014

''If even JEFF as Director of Ebay Community does not know all the policies and features of the programs and departments he has under his director role, then how in Hades are WE, the Community or Ebay phone reps and supervisors supposed to know policy and programs inside out?''

Jeff:
''Call customer service! Call customer service!
Caw! Caw!! Awk! Whistle!!''

And still no word from the CEO on any of this.

Things are very quiet in the Führerbunker.

The board of directors should put Donahole's picture on a milk carton.

Perminate Link for New eBay Vulnerability Exposed Sensitive User Data   New eBay Vulnerability Exposed Sensitive User Data

This user has validated their user name. by: bitbybit

Sun Jun 1 20:38:02 2014

Oh where, Oh where has Donahoe gone?
Oh where, Oh where can he be?

With his sellers in stress due to his bs of a mess
Oh where, Oh where can Donahoe be?

Perminate Link for New eBay Vulnerability Exposed Sensitive User Data   New eBay Vulnerability Exposed Sensitive User Data

by: Deltamaster This user has validated their user name.

Sun Jun 1 23:52:42 2014

I think that what is even more preposterous is that (as someone mentioned) JEFF was TOLD earlier that he had done this and ignored it until INA investigated it.

EBay staffer does something wrong that would have gotten anyone else kicked off... is informed of his transgression... blows off the informant and ignores them and lets the transgression go on for a long time.  DOES NOT get kicked off!

Jeff SHOULD have lost his position and been demoted to the cutting the grass with a consummate reduction in pay!

Given the severity of this latest breach and his violation of board policy that would have gotten any other member kicked off the boards he should STILL loose his job!

Perminate Link for New eBay Vulnerability Exposed Sensitive User Data   New eBay Vulnerability Exposed Sensitive User Data

This user has validated their user name. by: Ming the Merciless

Mon Jun 2 00:05:39 2014

@Puck

"The board of directors should put Donahole's picture on a milk carton."

That, Puck, would sour the milk.

Perminate Link for New eBay Vulnerability Exposed Sensitive User Data   New eBay Vulnerability Exposed Sensitive User Data

by: E-pins This user has validated their user name.
Web Site

Mon Jun 2 00:30:21 2014

Deltamaster
I think that what is even more preposterous is that (as someone mentioned) JEFF was TOLD earlier that he had done this and ignored it until INA investigated it.

Ina - "eBay's Director of Community inadvertently exposed sensitive seller data on his profile page without sellers' knowledge thanks to a feature on the Lithium-powered discussion boards"

Ina - "eBay was unaware of the vulnerability until contacted by EcommerceBytes."

Did Jeff Terrell inadvertently send confidential access to the wrong person at the wrong time, using the same methods in Ina's article.

Triggering the hack?

"Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network, the company said"

Those attorney generals better subpoena those credentials and identify those employees before a glitch wipes them out.

Ina - "it's not clear from eBay's response that they understand the full ramifications of this issue and will plug the hole"

Ebay Hack FAQ - "We believe we have shut down unauthorized access to our site"

BELIEVE huh? Think ebay is safe once more?

Click to view more comments
1 2 3  [Next Page]


Login is required to post comments.
To sign in to leave a comment using your AB Verify User Name, fill in the form below. If you have not yet signed up for AB Verify, or if you'd like more information, go to the Registration Page
.

Login for AB Verify
Be sure and use your email address and password to log in.

 
Email:
Password:
 
 Forgot Your Password?
 Even though you are signed in with the AuctionBytes Blog, you will have to sign in to the EcommerceBytes blog. But you can sign in with your existing AB Verify info.