eBayhas begun an audit of its IT
systems after a hacker managed to access and disable user
accounts.
The company said last week that the hacker exploited public
application programming interfaces (APIs) that enable merchants
to build e-commerce sites on top of eBay.
"This fraudster found very old administrative interfaces into
the eBay system that had not been deactivated when we changed the
security of our internal systems several years ago," a member of
the company's trust and safety division said in a posting on an
eBay blog.
"We immediately identified the functions that were accessed and
deactivated, and we are undergoing an audit to ensure obsolete code
that may still exist for other reasons is secure."
Richard Brain, technical architect at IT security firm
Procheckup, said "Public APIs are available to anyone and are
used to enable businesses to communicate electronically with
trading partners." He urged businesses that offer programmable
access to their website to assess whether access to APIs should be
limited to reduce security risks.
An eBay spokeswoman said, "We were able to block the fraudster
quickly before any permanent damage had been done. At no point did
the fraudster get any access to financial information or other
sensitive data."