Online auction powerhouse eBay closed a security hole in a
password-maintenance feature late Tuesday (2 April) that could have
allowed attackers to take over a user's account and commit
fraud.
The vulnerability existed in the feature that allowed registered
eBay users to change the passwords that they use to log into the
site, according to Kevin Pursglove, senior director of
communications at eBay. The "change your password" feature was
taken offline around 1am on 2 April, due to the security hole.
The feature has since been fixed and put back online, he
said.
The hole would have allowed an attacker who knew the publicly
available name that an eBay member bids under, to change that
user's password, thereby taking over the account, Pursglove said.
EBay was first notified that the attack was possible by a user,
Pursglove said. Users who attempted to change their passwords after
the service was disabled got error messages, he added.
Although the potential existed for attackers to have access to
accounts, no credit card or personal information would have been
available to them, because that data is stored on separate servers
and behind separate firewalls, Pursglove said.
Ebay is "in the process right now of reviewing all the password
changes that have come in to us recently", Pursglove said, adding
that the company has not yet received any user reports of fraud or
account hijacking related to the vulnerability.
The company is "still in the process of reviewing" how the hole
occurred, he said.
EBay users have been hit with other account troubles recently. Some
users have reported having their accounts hijacked in recent
months, though Pursglove said those incidents are unrelated to the
security hole.