Hacker uses public APIs to breach eBay


Hacker uses public APIs to breach eBay

Cliff Saran

eBayhas begun an audit of its IT systems after a hacker managed to access and disable user accounts.

The company said last week that the hacker exploited public application programming interfaces (APIs) that enable merchants to build e-commerce sites on top of eBay.

"This fraudster found very old administrative interfaces into the eBay system that had not been deactivated when we changed the security of our internal systems several years ago," a member of the company's trust and safety division said in a posting on an eBay blog.

"We immediately identified the functions that were accessed and deactivated, and we are undergoing an audit to ensure obsolete code that may still exist for other reasons is secure."

Richard Brain, technical architect at IT security firm Procheckup, said "Public APIs are available to anyone and are used to enable businesses to communicate electronically with trading partners." He urged businesses that offer programmable access to their website to assess whether access to APIs should be limited to reduce security risks.

An eBay spokeswoman said, "We were able to block the fraudster quickly before any permanent damage had been done. At no point did the fraudster get any access to financial information or other sensitive data."


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy