[13925] in bugtraq
ebay sends passwords in the clear
daemon@ATHENA.MIT.EDU (Richard Fromm)
Fri Feb 18 18:29:07 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <200002161903.LAA12086@relay.EECS.Berkeley.EDU>
Date: Wed, 16 Feb 2000 11:03:17 -0800
Reply-To: rfromm@cs.berkeley.edu
From: Richard Fromm <rfromm@CS.BERKELEY.EDU>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Not as bad as not encrypting credit card numbers (they do encrypt that), but
for some reason ebay doesn't bother to encrypt passwords.
While they're certainly not the only web site doing this, I consider this a
bit more serious than a website where one's password just holds personal
preferences. Listing items for sale or bidding on items on ebay is allegedly
entering into a legally binding contract (although I don't know if this has
ever been tested in a court of law). So if someone sniffs my password he/she
has the ability to misrepresent my identity in such a way that I could
potentially be financially liable.
I've been trying to get ebay to do something about this for a month and a
half, to no avail. See http://avocado.dhs.org/ebpd/ for details, including an
ebay password sniffer.
- Richard Fromm
rfromm@cs.berkeley.edu
