Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker May Be Exposing eBay Back Door

Posted by Zonk on from the maybe-buy-a-hackerproof-door dept.

pacopico writes "A hacker specializing in eBay cracks has once again managed to masquerade as a company official on the site's message boards, according to The Register. A company spokesman denies that 'Vladuz's' repeated assaults on eBay point to a larger problem with the site's security. Of course, eBay two days ago claimed to have found a way to block Vladuz altogether, only to see him pop up again. The hacker himself made comments indicating that the company's email servers are connected somehow to the financial information eBay hosts."

21 of 73 comments (clear)

  1. FUD by User+956 · · Score: 4, Interesting

    The hacker himself made comments indicating that the company's email servers are connected somehow to the financial information eBay hosts.

    $100 says this guy has a huge short on ebay stock.

    --
    The theory of relativity doesn't work right in Arkansas.
    1. Re:FUD by AKAImBatman · · Score: 4, Funny

      I think you forgot, "This message (and house) will self-destruct in 10 seconds. 9... 8..."

      --
      Javascript + Nintendo DSi = DSiCade
    2. Re:FUD by Antique+Geekmeister · · Score: 4, Insightful

      Publishing this sort of thing privately often doesn't work. I've had numerous security vulnerabilities ignored for years: the use of public FTP sites with user's private passwords is one of the most common. Publicly write-able home directories used by both bosses and their secretaries is another: so are password free SSH keys and software that stores passwords locally in clear text, then NFS export those directories.

      In practice, nothing forces a change faster than an obvious break-in that discomfits the boss's secretary: the second fastest is something that affects the stock price. Even something that is being actively used for break-ins is often ignored due to recalcitrant developers and users who cannot be troubled to use secure practices, or to invest in keeping their software upgraded. The worst of them are those who think "we're inside a firewall, we trust the people we work with!". Then they sneak in a laptop from home and expect it to just work.

  2. Time for a new plan.... by CasperIV · · Score: 5, Interesting

    Maybe ebay should just pay the guy to tell them how to fix their system and be done with it. You know that this will all end with an exploit for ebay being discovered and someone getting sued.

    1. Re:Time for a new plan.... by needacoolnickname · · Score: 5, Insightful

      Isn't that frowned upon?

      Breaking in. Taunting someone and then getting paid to fix things? Bad precendece I would think.

  3. Not an auction site... by Radon360 · · Score: 5, Insightful

    ...eBay is just a venue for people to exchange items, such as malicious code into an unexpecting user's browser.

    When will they learn to do something simple like disallow META tags in item descriptions to stop redirects to sites with malicious code, rather than to hide such things and disavow any responsibility.

  4. Where is your mind at? by Anonymous Coward · · Score: 4, Funny
    A hacker specializing in eBay cracks... may be exposing eBay Back Door"

    Sounds like the author has an anal fixation to me!

  5. Not the place to talk about exposed backdoors by spun · · Score: 4, Funny

    You just know what's gonna get posted soon...

    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
  6. Maybe Not by AKAImBatman · · Score: 4, Insightful

    Maybe they should use OpenBSD once and for all...

    Your choice in Operating System does little to mitigate bad coding. eBay has never been known for their technical wizardry and coding sophistication. It wouldn't surprise me if their back doors were wide open. (If you knew where to look.) For example, instead of having secure B2B messaging channels between different offices and departments, they might use machine formatted Internet Email that gets decoded by machine on the other side. Which would mean that a lot of "financial information" could be travelling over "their email system".

    10:1 says the guy is an employee who lost his gruntles.
    --
    Javascript + Nintendo DSi = DSiCade
    1. Re:Maybe Not by twiddlingbits · · Score: 2, Informative

      More likely someone put financial information in an email, or attached a spreadsheet of such, or got email containing their login information for the Accouting systems. Often when a new user gets setup the first thing they get is email and all the system access UIDs and passwords come via email. IF he can read that email he IS that person, the system knows no difference.

      Any firm that allows an EXTERNAL user to login to the company LAN or email server w/o a very secure two factor authentication (such as a RSA token or PGP, etc.) is really asking to be hacked. People use very low quality passwords and with a little "social engineering" you can find out lots.

    2. Re:Maybe Not by unboring · · Score: 3, Informative

      That might have been true in the past. But not so now.
      Read this which is a presentation from one of eBay's technical architects. It outlines the evolution of the technology and the challenges they face, as well as the huge volume of data!

  7. I can solve this for EBAY by AmigaHeretic · · Score: 2, Funny

    I told EBAY I could resolve this for them once they send the PS3 to my address in Nigeria. The payment through Paypal will not post to their account until after they have mailed the package. What don't they understand about this?

  8. Idiots and their web sites... by Anonymous Coward · · Score: 2, Informative
    Web sites like eBay call for the use of high-quality, high-security operating systems like Linux, Solaris, HP-UX and AIX.

    Right, because Apache magically prevents you from misconfiguring your servers and writing bad code?

    Both IIS 5.0 and IIS 6.0 can be easily secured, IIS 6.0 is simply more secure "as installed". I ran one of the biggest hacker targets on the Net on IIS, and every single moron who announced giddily that "we are so owned, we are so stupid" walked away with their head hung low. Web site security is a mix of good administration and secure code. Thats it. Choice of OS has surprisingly little to do with it.

    1. Re:Idiots and their web sites... by Anonymous Coward · · Score: 2, Insightful

      Both IIS 5.0 and IIS 6.0 can be easily secured, IIS 6.0 is simply more secure "as installed".

      Neither compare to the security of Apache. One of the main problems with IIS is that updates are so slow in coming after a vulnerability is discovered. And since you don't have the source code, you can't deal with the problem yourself. With Apache, patches are usually available within hours, sometimes even minutes, of a vulnerability being located. And you do have the source code, so you can immediately fix any problems.

      I ran one of the biggest hacker targets on the Net on IIS, and every single moron who announced giddily that "we are so owned, we are so stupid" walked away with their head hung low.

      There's a very good chance that your Microsoft-based servers were compromised, but you just weren't aware of it. One of the main problems with Windows is that it's possible (and quite easy) to run processes that aren't displayed in the Task Manager, nor are they listed on the Services configuration dialog. So in effect, your system can be running a trojan and you have no idea.

      UNIX systems, on the other hand, often display down to the thread level. Using ps, you can not only see every single process and thread that is running, but you can also see the complete path to the binary of that process. That way you can tell if somebody has hijacked your machine and is running a trojan under the name of another typical process (eg. httpd, sendmail, sh).

      Now, it's possible for the ps command to be altered to not display certain processes. But there are numerous rememdies. One is comparing the checksums of the ps binary on your system to that of the distribution or vendor. Another option is to rebuild it yourself, with source code from a known source.

      Regardless, it doesn't matter how good of an administrator you are. The technical nature of Windows systems leaves them wide open to vulnerabilities, including those that can't be easily detected.

  9. Re:Don't blame bad coding for bad architecture. by gbjbaanb · · Score: 4, Informative

    Funny how MS gets criticism on /. even though eBay has run on Java and Solaris since 2005.

    http://www.theregister.co.uk/2005/07/13/ebay_sun_i bm/

    and

    http://sun.ebay.com/odcs/custom.htm?template=popup

    So, yeah I'l agree with you - its probably bad architecure that's at fault.

  10. ebay is a haven... by null+etc. · · Score: 2, Interesting

    Proof: http://havenforscammers.com/

  11. What a Loser by madsheep · · Score: 3, Informative

    I know I cannot be the only person thinking "what a loser." Maybe this guy has some motive behind his actions, but if you're in the world of IT Security you are relatively familiar with Romanian whackers. They can take the most mundane abuse of something and claim it as hacking. This is a perfect example. Is someone cracking, phishing, or scamming their way onto eBay's message boards that much of a "prank" or "hack"? I do not think so. Does it spell out that there is a security weakness somewhere? Absolutely. You will find this in almost any large organization when someone specifically targets them, their employees, and/or users. I cannot begin to account for how many times various ISP have been publicly hacked/owned/pranked, far worse than this.

    Do that many people really get their news from eBay message boards? This guy is getting on account and posting messages. What is his next hack going to be? Use a stolen or fraudulently created account to post a *FAKE* auction? This guy can hardly penetrate systems at will. I think there's a reason he only seems to pop up at certain times. Classify this guy as another moron that needs to find something better to do.

    Hopefully this loser will join the ranks of Victor Faur. Not so much in notoriety, but in the loss of the right to use a computer or travel internationally. :)

  12. Their sign-in server needs some work too by Pedahzur · · Score: 2, Interesting

    I posted this a few days ago. E-bay customer service still hasn't shown any indication they intend to fix this problem: E-Bay's sing in server can assist phishers.

    --
    Joshua J. Kugler
  13. You're full of it... by encoderer · · Score: 2, Informative

    Sorry man, but you're full of it. Apache out of the box _is_ more secure than IIS out of the box.

    But both of them can be secured properly.

    There are MILLIONS of IIS servers running sensitive information.

    You saying otherwise is FUD every bit as disgusting as anything Microsoft produces.

    Everyone needs to work together to bust the fud.

  14. Re:Don't blame bad coding for bad architecture. by AJWM · · Score: 2, Interesting

    Funny how MS gets criticism on /. even though eBay has run on Java and Solaris since 2005.

    Go to ebay.com's main page. Check out some of the links like "register" or "pay". See that "eBayISAPI.dll" in the cgi URL?

    They use Microsoft too, unless someone with a bizarre sense of humor has a file named eBayISAPI.dll on Solaris...

    --
    -- Alastair
  15. Re:Don't blame bad coding for bad architecture. by Anonymous Coward · · Score: 2, Informative

    Former ebay employee (hence anonymous) here.

    The VAST majority of ebay is Windows. Solaris is only used for Oracle on the very back end.