|Tue Aug 5 2014 21:40:48|
eBay UK Has a Breach You Could Drive a Lorry Through
By: Ina Steiner
Remember that article in Monday's issue about something fishy going on with eBay Live Chat, where users reported their accounts were seemingly being accessed by third-parties? Turns out there's a gaping hole in the system that lets anyone communicate with eBay about someone else's account.
You can see the story in Wednesday's EcommerceBytes newsletter.
There's no computer hacking or programming skills required - anyone can initiate a live chat session on eBay UK and enter someone else's User ID while signed in under their own account.
Two sellers wrote to me this morning saying users have been able to get eBay live-chat agents to make changes to other people's accounts and have been able to enter buying IDs in order to get negative feedback removed from sellers' accounts.
eBay's PR department didn't respond to my inquiry sent Sunday about the reports of strange live chat activity. But they did respond on Tuesday afternoon when I asked about the eBay Live Chat breach users had uncovered. eBay Ryan Moore emailed me a statement that defended its method of authenticating users' identity, characterized the breach as "social engineering" and stating it had taken corrective action.
We verified the vulnerability ourselves this afternoon; we can't test the system again now since eBay UK's live chat is down for the evening. But users should keep a close eye on their accounts, and take a look at their accounts to make sure everything appears to be in order.
Thanks to sellers for letting me know about the breach so I could reach out to eBay - apparently the reports they were sending to eBay weren't enough to get the company to take action.