Forgot your password?
typodupeerror
Security The Internet

Hacker May Be Exposing eBay Back Door 73

Posted by Zonk
from the maybe-buy-a-hackerproof-door dept.
pacopico writes "A hacker specializing in eBay cracks has once again managed to masquerade as a company official on the site's message boards, according to The Register. A company spokesman denies that 'Vladuz's' repeated assaults on eBay point to a larger problem with the site's security. Of course, eBay two days ago claimed to have found a way to block Vladuz altogether, only to see him pop up again. The hacker himself made comments indicating that the company's email servers are connected somehow to the financial information eBay hosts."
This discussion has been archived. No new comments can be posted.

Hacker May Be Exposing eBay Back Door

Comments Filter:
  • FUD (Score:5, Interesting)

    by User 956 (568564) on Friday February 23, 2007 @05:36PM (#18128168) Homepage
    The hacker himself made comments indicating that the company's email servers are connected somehow to the financial information eBay hosts.

    $100 says this guy has a huge short on ebay stock.
    • Soon ebay will find his ip, and ebay will send their own corporate police to his house. Once the ebay hit squad arrives and breaks down the door all that is left is a note. The note reads, "by the time you have read this I will have escaped with my millions to an island in the Caribbean. You will not find me as I have had extensive plastic surgery, a voice modulation box, new eyes implanted, and imprinted new finger prints over my old ones. I am also using hair dye # 2... or is it 3? HAHAHAHA! Enjoy y
  • by CasperIV (1013029) on Friday February 23, 2007 @05:36PM (#18128174)
    Maybe ebay should just pay the guy to tell them how to fix their system and be done with it. You know that this will all end with an exploit for ebay being discovered and someone getting sued.
    • by needacoolnickname (716083) on Friday February 23, 2007 @05:59PM (#18128524)
      Isn't that frowned upon?

      Breaking in. Taunting someone and then getting paid to fix things? Bad precendece I would think.
    • by Anonymous Coward
      It might not be possible to fix their system.

      According to Netcraft [netcraft.com], eBay appears to heavily use Microsoft software for their main North American operations. If that list is correct, it seems that most of their sites run on Windows 2000 or Windows Server 2003, using IIS 5.0.

      If these exploits are due to problems within Windows or IIS, it's basically outside of eBay's control as to whether or not such things get fixed. But we also have to question the competency of developers who would choose to base any signi
      • by Anonymous Coward
        Web sites like eBay call for the use of high-quality, high-security operating systems like Linux, Solaris, HP-UX and AIX.

        Right, because Apache magically prevents you from misconfiguring your servers and writing bad code?

        Both IIS 5.0 and IIS 6.0 can be easily secured, IIS 6.0 is simply more secure "as installed". I ran one of the biggest hacker targets on the Net on IIS, and every single moron who announced giddily that "we are so owned, we are so stupid" walked away with their head hung low. Web site sec

        • Re: (Score:2, Insightful)

          by Anonymous Coward
          Both IIS 5.0 and IIS 6.0 can be easily secured, IIS 6.0 is simply more secure "as installed".

          Neither compare to the security of Apache. One of the main problems with IIS is that updates are so slow in coming after a vulnerability is discovered. And since you don't have the source code, you can't deal with the problem yourself. With Apache, patches are usually available within hours, sometimes even minutes, of a vulnerability being located. And you do have the source code, so you can immediately fix any prob
          • You're full of it... (Score:2, Informative)

            by encoderer (1060616)
            Sorry man, but you're full of it. Apache out of the box _is_ more secure than IIS out of the box.

            But both of them can be secured properly.

            There are MILLIONS of IIS servers running sensitive information.

            You saying otherwise is FUD every bit as disgusting as anything Microsoft produces.

            Everyone needs to work together to bust the fud.
            • There is no uncertainty or doubt about IIS being overall less secure than LAMP. What he was saying may be exaggerated, but it is not FUD.
        • by AJWM (19027)
          Web site security is a mix of good administration and secure code.

          If you're talking about the website code and not the server code, it won't do a damn thing to help you if there's a buffer overflow in the server itself.

          Choice of OS has surprisingly little to do with it.

          Until somebody finds an exploit in your server code, and then it can make all the difference in the world.

          BTW, do you think that hackers who are after e.g. financial information are going to do something so silly as to announce that you were
  • ridiculous (Score:1, Interesting)

    by ILuvRamen (1026668)
    wow, that's quite an interested technical statement to say they found a way to block ANYONE forever. Anyone can sit down at any computer and you can't tell the difference. The only way would be if he's in jail and apparently he's not so I wonder but genius at eBay wrote up that statement. Btw in case you didn't know, eBay owns Paypal so obviously their general IT and technical designing isn't so great already.
    • Re: (Score:1, Offtopic)

      by Pojut (1027544)
      ::shrug:: I know people complain about it all the time, but i've never once had a technical issue with either Ebay or PayPal, and I use both of them regularly (i.e. I buy at least 2-3 things off Ebay a week)

      Perhaps it's because I only buy and don't sell?
    • by fmobus (831767)
      maybe he meant they found the security hole that allowed him to post whatever he was posting and fixed. This is perfectly possible, albeit unlikely given eBay's complexity and possibly WTF-ish codebase.
    • wow, that's quite an interested technical statement to say they found a way to block ANYONE forever.

      Block him from gaining Customer Service (a.k.a. "admin") rights to the system, not block him from being a customer. RTFA.
  • by Radon360 (951529) on Friday February 23, 2007 @05:43PM (#18128274)

    ...eBay is just a venue for people to exchange items, such as malicious code into an unexpecting user's browser.

    When will they learn to do something simple like disallow META tags in item descriptions to stop redirects to sites with malicious code, rather than to hide such things and disavow any responsibility.

    • by nexuspal (720736)
      Second this, My browser got hijacked. What they do is post a legitiment auction, then, after it has been approved, they change the images to pornagraphic ones to entice clicks. Once they get a click, the Meta tag redirects and injects exploit.

      And you ask me why I clicked? I wanted to see what the hell they had to sell!
    • by guruevi (827432)
      When will they stop allowing any other tags than plain:


        • A lot of pages where users can put their own data and are allowed to 'style' it, gets abused and if not abused, is contesting for worst designed webpage of the year. This is so for bays, tubes, spaces and I'm kinda getting sick of it. If you want to display some data the tags mentioned above should be enough, if not, then you can put in a link to your own website so that it's clear it comes from another source.

      • by guruevi (827432)
        Should have used preview. What I meant was the stuff you see on the bottom when you submit to /., I am too lazy to change the < to &lt; and the > to &gt;
  • by Anonymous Coward on Friday February 23, 2007 @05:44PM (#18128288)
    A hacker specializing in eBay cracks... may be exposing eBay Back Door"

    Sounds like the author has an anal fixation to me!

  • You just know what's gonna get posted soon...
    • by Tackhead (54550)
      > You just know what's gonna get posted soon...

      In other news, Boston was shut down for the second time in a month due to LED billboards...

      Err: "Notice how we fit together?"
      Ignignokt: "Except this time I'm doing it as wide as I can!"
      Boston Mayor: "How can you treat this with kid gloves?"
      Berdovsky and Stevens: "That's a goat question, not a hair question."

  • I told EBAY I could resolve this for them once they send the PS3 to my address in Nigeria. The payment through Paypal will not post to their account until after they have mailed the package. What don't they understand about this?
  • ebay is a haven... (Score:3, Interesting)

    by null etc. (524767) on Friday February 23, 2007 @06:51PM (#18129098)
    Proof: http://havenforscammers.com/ [havenforscammers.com]
  • What a Loser (Score:3, Informative)

    by madsheep (984404) on Friday February 23, 2007 @06:59PM (#18129190) Homepage
    I know I cannot be the only person thinking "what a loser." Maybe this guy has some motive behind his actions, but if you're in the world of IT Security you are relatively familiar with Romanian whackers. They can take the most mundane abuse of something and claim it as hacking. This is a perfect example. Is someone cracking, phishing, or scamming their way onto eBay's message boards that much of a "prank" or "hack"? I do not think so. Does it spell out that there is a security weakness somewhere? Absolutely. You will find this in almost any large organization when someone specifically targets them, their employees, and/or users. I cannot begin to account for how many times various ISP have been publicly hacked/owned/pranked, far worse than this.

    Do that many people really get their news from eBay message boards? This guy is getting on account and posting messages. What is his next hack going to be? Use a stolen or fraudulently created account to post a *FAKE* auction? This guy can hardly penetrate systems at will. I think there's a reason he only seems to pop up at certain times. Classify this guy as another moron that needs to find something better to do.

    Hopefully this loser will join the ranks of Victor Faur [zdnet.com]. Not so much in notoriety, but in the loss of the right to use a computer or travel internationally. :)
  • I posted this a few days ago. E-bay customer service still hasn't shown any indication they intend to fix this problem: E-Bay's sing in server can assist phishers [jjncj.com].
  • e-bay Has alot of issues.. What ever this individual is exposing,, Take it with integrity.. All they want to do is throw money at it, and find ways to screw anybody and everybody as much as possible.. 1 out of 6 people are millionaires on "paper", because of this e-bay engourages them to work at a significantly reduced pay rate. They do this because they are borde, and e-bay allows them to act accordingly. Meaning, because they have nothing to loose that they can make everyone's life hell around them, with
  • by Anonymous Coward
    Security breaches on ebay servers might explain the rampant theft of people's credit card info on ebay. In most cases ebay are apparently still trying to make customers and sometimes banks pay for the losses rather than admit to their servers being compromised.
  • FTA "but insist the servers that administer those functions are balkanized from databases" That proves it - he IS from Romania! But seriously, if Ebay's servers really are Balkanized, (http://en.wikipedia.org/wiki/Balkanize), "Balkanization is a geopolitical term originally used to describe the process of fragmentation or division of a region into smaller regions that are often hostile or non-cooperative with each other", maybe it's no wonder they have problems.
  • Is it the hacker is getting more experts or the system admin is less brilliant??

"Love is an ideal thing, marriage a real thing; a confusion of the real with the ideal never goes unpunished." -- Goethe

Working...