EcommerceBytes-NewsFlash, Number 538 - May 15, 2003     1 of 2

Expired Domains Expose EBay Security Glitch

Email This Story to a Friend

eBay's security was called into question twice this week as separate sources reported loopholes in the "log-in" system that allowed hackers to gain access to users' accounts.

The first report, by Europe's largest computer magazine COMPUTERBILD, charges a vulnerability exists involving the "secret" security question eBay users set up when first registering on the site. The secret question is used if a person has forgotten their password, and purportedly includes a question that only the user would know, such as a pet's name. COMPUTERBILD reports that they were able to quickly find instances where the answer to the secret question was included in a user's "About Me" page. (full story can be found here)

The second eBay log-in vulnerability was discovered this week by AuctionBytes and confirmed by two Internet security experts.

AuctionBytes purchased a domain name that had recently become available after its original owner let the registration expire. After activating the domain and setting up a mailbox, AuctionBytes began to receive hundreds of Spam messages addressed to former employees of the site - over 20 different email addresses in all.

Copying and pasting some of these email addresses into eBay's "Search by Seller" search box, allowed AuctionBytes to pull up IDs of people who had previously worked for the Site originally owning the domain name. These employees had never bothered to change their contact email address on eBay when the company dissolved.

Although AuctionBytes did not attempt to hack into any of the idle accounts, it was evident that it would be easy to gain access to the account by using the "send me a new password" feature, since we now owned the domain where all emails would be sent. Once a new password is sent to the "expired" email address, the recipient is verified and able to access all areas of the account, in effect, "hijacking" the account.

How simple was it to do this? An expired domain can be purchased for under $10 and set up with a "catch-all" mailbox where these email addresses can be collected. By entering the email addresses that we collected into eBay's log-in page and requesting that password information be sent to us, AuctionBytes could have quickly accessed over half a dozen eBay accounts that had been idle since July 2000. One of the accounts came with 48 feedback points attached to the ID.

"It sounds really bad and quite clever," said Richard Smith, an Internet security and privacy consultant based in Cambridge, Mass. "This points out that the whole idea of recovering passwords is fraught with problems." Smith also acknowledged that this problem could potentially affect expired Hotmail and Yahoo! email addresses that have eBay ID's attached to them.

Kevin Pursglove, eBay's spokesperson, did not know if eBay was aware that this problem existed, and he was unable to get back to AuctionBytes with additional information before press time.

One of the ways that this problem might be circumvented, according to Chris Hoofnagle, Deputy Council of the Electronic Privacy Information Center in Washington, DC, is for eBay to remove user IDs after a certain period of inactivity. "Companies with greater transaction costs do this. If you don't use the service after a certain period, they cancel your account," said Hoofnagle. "That check doesn't seem to exist in the online world."

EBay reports over 60 million registered users on its site, approximately 30 million who eBay defines as active users, leaving another 30 million accounts that have not been accessed within the past year.

eBay uses the number of registered users as a metric to assess performance, along with Gross Merchandise Sales (GMS) and number of items listed on the site.

About the author:

David Steiner is President of Steiner Associates LLC, publisher of and the merchant directory. David, a former television producer, handles business development and advertising for EcommerceBytes. You can reach him at

You may quote up to 50 words of any article on the condition that you attribute the article to and either link to the original article or to
All other use is prohibited.