Hacker May Be Exposing eBay Back Door

pacopico writes "A hacker specializing in eBay cracks has once again managed to masquerade as a company official on the site's message boards, according to The Register. A company spokesman denies that 'Vladuz's' repeated assaults on eBay point to a larger problem with the site's security. Of course, eBay two days ago claimed to have found a way to block Vladuz altogether, only to see him pop up again. The hacker himself made comments indicating that the company's email servers are connected somehow to the financial information eBay hosts."

FUD

[User 956]

The hacker himself made comments indicating that the company's email servers are connected somehow to the financial information eBay hosts.

$100 says this guy has a huge short on ebay stock.

Re:

[Jonny Ringo]

Soon ebay will find his ip, and ebay will send their own corporate police to his house. Once the ebay hit squad arrives and breaks down the door all that is left is a note. The note reads, "by the time you have read this I will have escaped with my millions to an island in the Caribbean. You will not find me as I have had extensive plastic surgery, a voice modulation box, new eyes implanted, and imprinted new finger prints over my old ones. I am also using hair dye # 2... or is it 3? HAHAHAHA! Enjoy y

Re:FUD

[AKAImBatman]

I think you forgot, "This message (and house) will self-destruct in 10 seconds. 9... 8..."

Re:

[User 956]

You betting against him? He has crawled in the network, have you? Personally, I am not betting against him.

Has he? How do you know he's not a disgruntled ex-employee, who would have knowledge of their network legitimately? How do you know he's not in cahoots with an ex-employee? Why make persistent efforts to expose this unproven "flaw" in a public manner unless the intention were to harm eBay's image and/or their stock position?

This sort of information would be worth a lot of money on the black mark [pcpro.co.uk]

Re:

[veganboyjosh]

How do you know he's not in cahoots with an ex-employee?

hell, if he's in cahoots with someone, would it have to be an ex-employee?

Re:

[alexjohnc3]

I don't understand why people insist on believing this kind of stuff right out of the gate without any critical thinking.

It's pretty simple actually. I'll give you a hint: The key word is "people".

Re:

[AoT]

Why make persistent efforts to expose this unproven "flaw" in a public manner unless the intention were to harm eBay's image and/or their stock position?

Well, cause it's funny.

Or so his name gets in the news.

mainly the latter.

Re:

[the_womble]

If his goal is to protect ebay users, why doesn't he work with ebay security, privately?

Given what has happened to other people who have found [zdnet.co.uk] or disclosed vulnerabilities [csoonline.com], that is probably more of a risk than attacking the site.

This has been discussed [slashdot.org] on Slashdot before [slashdot.org].

Re:FUD

[Antique Geekmeister]

Publishing this sort of thing privately often doesn't work. I've had numerous security vulnerabilities ignored for years: the use of public FTP sites with user's private passwords is one of the most common. Publicly write-able home directories used by both bosses and their secretaries is another: so are password free SSH keys and software that stores passwords locally in clear text, then NFS export those directories.

In practice, nothing forces a change faster than an obvious break-in that discomfits the boss's secretary: the second fastest is something that affects the stock price. Even something that is being actively used for break-ins is often ignored due to recalcitrant developers and users who cannot be troubled to use secure practices, or to invest in keeping their software upgraded. The worst of them are those who think "we're inside a firewall, we trust the people we work with!". Then they sneak in a laptop from home and expect it to just work.

Re:

[tinkertim]

If his goal is to protect ebay users, why doesn't he work with ebay security, privately?

More critical thinking suggests he has already plundered the information, did so long ago and has been refreshing his copy frequently, finally made enough on the black market selling it in small chunks rather than risk letting someone know what he had and get ratted for bounty or someone else trying to buy their way out of being prosecuted for something else and perhaps is already enjoying life in abu dabi?

H

Re:

[kd5ujz]

The email servers must be linked to the transaction servers SOMEHOW, or else you would not recieve all the cute emails when someone outbids you, you win, or someone "buys it now".

Re:

[jorgevillalobos]

I think what really matters here is whether there's a two way communication or one way communication. I would assume that ebay would follow proper design and security patterns, and just allow for the transaction servers to notify the email servers about state changes, so that they can send the appropriate message. The question is whether you can access more than just email if you break into the email servers, which would imply that there is some kind of access from the email servers to the transaction serve

Time for a new plan....

[CasperIV]

Maybe ebay should just pay the guy to tell them how to fix their system and be done with it. You know that this will all end with an exploit for ebay being discovered and someone getting sued.

Re:Time for a new plan....

[needacoolnickname]

Isn't that frowned upon?

Breaking in. Taunting someone and then getting paid to fix things? Bad precendece I would think.

That might not be possible.

[Anonymous Coward]

It might not be possible to fix their system.

According to Netcraft [netcraft.com], eBay appears to heavily use Microsoft software for their main North American operations. If that list is correct, it seems that most of their sites run on Windows 2000 or Windows Server 2003, using IIS 5.0.

If these exploits are due to problems within Windows or IIS, it's basically outside of eBay's control as to whether or not such things get fixed. But we also have to question the competency of developers who would choose to base any signi

Idiots and their web sites...

[Anonymous Coward]

Web sites like eBay call for the use of high-quality, high-security operating systems like Linux, Solaris, HP-UX and AIX.

Right, because Apache magically prevents you from misconfiguring your servers and writing bad code?

Both IIS 5.0 and IIS 6.0 can be easily secured, IIS 6.0 is simply more secure "as installed". I ran one of the biggest hacker targets on the Net on IIS, and every single moron who announced giddily that "we are so owned, we are so stupid" walked away with their head hung low. Web site sec

Re:

[Anonymous Coward]

Both IIS 5.0 and IIS 6.0 can be easily secured, IIS 6.0 is simply more secure "as installed".

Neither compare to the security of Apache. One of the main problems with IIS is that updates are so slow in coming after a vulnerability is discovered. And since you don't have the source code, you can't deal with the problem yourself. With Apache, patches are usually available within hours, sometimes even minutes, of a vulnerability being located. And you do have the source code, so you can immediately fix any prob

You're full of it...

[encoderer]

Sorry man, but you're full of it. Apache out of the box _is_ more secure than IIS out of the box.

But both of them can be secured properly.

There are MILLIONS of IIS servers running sensitive information.

You saying otherwise is FUD every bit as disgusting as anything Microsoft produces.

Everyone needs to work together to bust the fud.

Re:

[somersault]

Errr.. code doesn't have to be open source to be 'safe' or secure. It may help the process of fixing bugs or finding exploits, but you do seem to be generalising rather a lot. As for your last paragraph, it makes no sense :p "Please tell us all your personal details so that we can make sure you don't get a job ever, whether or not you are right about this"..?

Re:

[Antique Geekmeister]

From harsh expericce, closed source code is vastly more likely to be hacked and vulnerable to hacking. The crackers do steal the source and the developer's notes: the more honest people don't have access to it and can contribute nothing. And the crackers only have to be lucky once, the designer or programmers have to be right and cautious all the time. Couple that need with the extremely poor GUI-based programming and feature extension styles of a lot of "software engineers", and you have a disaster hiding

Re:

[644bd346996]

There is no uncertainty or doubt about IIS being overall less secure than LAMP. What he was saying may be exaggerated, but it is not FUD.

Re:

[AJWM]

Web site security is a mix of good administration and secure code.

If you're talking about the website code and not the server code, it won't do a damn thing to help you if there's a buffer overflow in the server itself.

Choice of OS has surprisingly little to do with it.

Until somebody finds an exploit in your server code, and then it can make all the difference in the world.

BTW, do you think that hackers who are after e.g. financial information are going to do something so silly as to announce that you were

ridiculous

[ILuvRamen]

wow, that's quite an interested technical statement to say they found a way to block ANYONE forever. Anyone can sit down at any computer and you can't tell the difference. The only way would be if he's in jail and apparently he's not so I wonder but genius at eBay wrote up that statement. Btw in case you didn't know, eBay owns Paypal so obviously their general IT and technical designing isn't so great already.

Re:

[Pojut]

::shrug:: I know people complain about it all the time, but i've never once had a technical issue with either Ebay or PayPal, and I use both of them regularly (i.e. I buy at least 2-3 things off Ebay a week)

Perhaps it's because I only buy and don't sell?

Re:

[fmobus]

maybe he meant they found the security hole that allowed him to post whatever he was posting and fixed. This is perfectly possible, albeit unlikely given eBay's complexity and possibly WTF-ish codebase.

Re:

[AKAImBatman]

wow, that's quite an interested technical statement to say they found a way to block ANYONE forever.

Block him from gaining Customer Service (a.k.a. "admin") rights to the system, not block him from being a customer. RTFA.

Re:

[el americano]

You've been watching "Firewall" again?

Jack: Hey, Ravi. What have we got?

Ravi: Brute-force login.
The interesting thing is he's coming in through Hong Kong,
Korea and Malaysia, but he's trying sequential account
numbers. He's hacking all over!

Jack: Move over for me.
Let's try a rule change on him,
see what he does. Put in an IPS signature
that black-holes the pattern. See if that slows him down.

Ravi: That'd slow me down!

Maybe Not

[AKAImBatman]

Maybe they should use OpenBSD once and for all...

Your choice in Operating System does little to mitigate bad coding. eBay has never been known for their technical wizardry and coding sophistication. It wouldn't surprise me if their back doors were wide open. (If you knew where to look.) For example, instead of having secure B2B messaging channels between different offices and departments, they might use machine formatted Internet Email that gets decoded by machine on the other side. Which would mean that a lot of "financial information" could be travelling over "their email system".

10:1 says the guy is an employee who lost his gruntles.

Re:

[twiddlingbits]

More likely someone put financial information in an email, or attached a spreadsheet of such, or got email containing their login information for the Accouting systems. Often when a new user gets setup the first thing they get is email and all the system access UIDs and passwords come via email. IF he can read that email he IS that person, the system knows no difference.

Any firm that allows an EXTERNAL user to login to the company LAN or email server w/o a very secure two factor authentication (such as a RS

Don't blame bad coding for bad architecture.

[m.precursor]

Yes, operating system choice does little to mitigate bad coding however certain architectures like ISAPI are very complex and error prone. It isn't bad coding as much as it is bad choice of architecture. I have a feeling that in the beginning, some of the developers were asserting that some things were a bad idea and got fired because they weren't in the MS camp. I would like to see a count of people who have successfully implemented a _complex_ ISAPI application without possible security issues coming u

Re:Don't blame bad coding for bad architecture.

[gbjbaanb]

Funny how MS gets criticism on /. even though eBay has run on Java and Solaris since 2005.

http://www.theregister.co.uk/2005/07/13/ebay_sun_i bm/ [theregister.co.uk]

and

http://sun.ebay.com/odcs/custom.htm?template=popup [ebay.com]

So, yeah I'l agree with you - its probably bad architecure that's at fault.

Re:

[AJWM]

Funny how MS gets criticism on /. even though eBay has run on Java and Solaris since 2005.

Go to ebay.com's main page. Check out some of the links like "register" or "pay". See that "eBayISAPI.dll" in the cgi URL?

They use Microsoft too, unless someone with a bizarre sense of humor has a file named eBayISAPI.dll on Solaris...

Re:

[Anonymous Coward]

Former ebay employee (hence anonymous) here.

The VAST majority of ebay is Windows. Solaris is only used for Oracle on the very back end.

Re:

[AJWM]

The VAST majority of ebay is Windows. Solaris is only used for Oracle on the very back end.

Thanks for the inside info.

Re:

[WhoBeDaPlaya]

Too bad you're no longer with them or you could ask the T&S department to stick it :|

Re:

[linhux]

It's more like someone has used URL rewriting to maintain backward compatibility. This presentation [addsimplicity.com] details the past and current architectures of eBay. Among other things, it states that they have replaced their entire C++ ISAPI application with J2EE. I think the presentation layer still is IIS, though (the paper mentions MSXML).

Re:

[unboring]

That might have been true in the past. But not so now.
Read this [nyud.net] which is a presentation from one of eBay's technical architects. It outlines the evolution of the technology and the challenges they face, as well as the huge volume of data!

Re:

[DesertBlade]

Looks like ebay is run mostly on windows and IIS. See here [netcraft.com]

Re:

[TubeSteak]

10:1 says the guy is an employee who lost his gruntles.

Maybe, but that isn't necessary.

Eastern Europe has a lot of experienced computer haxors.
He claims he's Romanian & the FBI is looking in Romania.

Romania (pop ~22 million) is one of the top 10 biggest hubs for online crime.
The only other small country in the top 10 is North Korea.

They're up there with China, Russia & U.S.A.
(USA #1 woo!)

Not an auction site...

[Radon360]

...eBay is just a venue for people to exchange items, such as malicious code into an unexpecting user's browser.

When will they learn to do something simple like disallow META tags in item descriptions to stop redirects to sites with malicious code, rather than to hide such things and disavow any responsibility.

Re:

[nexuspal]

Second this, My browser got hijacked. What they do is post a legitiment auction, then, after it has been approved, they change the images to pornagraphic ones to entice clicks. Once they get a click, the Meta tag redirects and injects exploit.

And you ask me why I clicked? I wanted to see what the hell they had to sell!

Re:

[guruevi]

When will they stop allowing any other tags than plain:

1. • A lot of pages where users can put their own data and are allowed to 'style' it, gets abused and if not abused, is contesting for worst designed webpage of the year. This is so for bays, tubes, spaces and I'm kinda getting sick of it. If you want to display some data the tags mentioned above should be enough, if not, then you can put in a link to your own website so that it's clear it comes from another source.
     

Re:

[guruevi]

Should have used preview. What I meant was the stuff you see on the bottom when you submit to /., I am too lazy to change the < to &lt; and the > to &gt;

Where is your mind at?

[Anonymous Coward]

A hacker specializing in eBay cracks... may be exposing eBay Back Door"

Sounds like the author has an anal fixation to me!

Not the place to talk about exposed backdoors

[spun]

You just know what's gonna get posted soon...

Re:

[Tackhead]

> You just know what's gonna get posted soon...

In other news, Boston was shut down for the second time in a month due to LED billboards...

Err: "Notice how we fit together?"
Ignignokt: "Except this time I'm doing it as wide as I can!"
Boston Mayor: "How can you treat this with kid gloves?"
Berdovsky and Stevens: "That's a goat question, not a hair question."

I can solve this for EBAY

[AmigaHeretic]

I told EBAY I could resolve this for them once they send the PS3 to my address in Nigeria. The payment through Paypal will not post to their account until after they have mailed the package. What don't they understand about this?

ebay is a haven...

[null etc.]

Proof: http://havenforscammers.com/ [havenforscammers.com]

What a Loser

[madsheep]

I know I cannot be the only person thinking "what a loser." Maybe this guy has some motive behind his actions, but if you're in the world of IT Security you are relatively familiar with Romanian whackers. They can take the most mundane abuse of something and claim it as hacking. This is a perfect example. Is someone cracking, phishing, or scamming their way onto eBay's message boards that much of a "prank" or "hack"? I do not think so. Does it spell out that there is a security weakness somewhere? Absolutely. You will find this in almost any large organization when someone specifically targets them, their employees, and/or users. I cannot begin to account for how many times various ISP have been publicly hacked/owned/pranked, far worse than this.

Do that many people really get their news from eBay message boards? This guy is getting on account and posting messages. What is his next hack going to be? Use a stolen or fraudulently created account to post a *FAKE* auction? This guy can hardly penetrate systems at will. I think there's a reason he only seems to pop up at certain times. Classify this guy as another moron that needs to find something better to do.

Hopefully this loser will join the ranks of Victor Faur [zdnet.com]. Not so much in notoriety, but in the loss of the right to use a computer or travel internationally. :)

Their sign-in server needs some work too

[Pedahzur]

I posted this a few days ago. E-bay customer service still hasn't shown any indication they intend to fix this problem: E-Bay's sing in server can assist phishers [jjncj.com].

He is right..

[gamekeeper]

e-bay Has alot of issues.. What ever this individual is exposing,, Take it with integrity.. All they want to do is throw money at it, and find ways to screw anybody and everybody as much as possible.. 1 out of 6 people are millionaires on "paper", because of this e-bay engourages them to work at a significantly reduced pay rate. They do this because they are borde, and e-bay allows them to act accordingly. Meaning, because they have nothing to loose that they can make everyone's life hell around them, with

explanation for ebay credit card fraud?

[Anonymous Coward]

Security breaches on ebay servers might explain the rampant theft of people's credit card info on ebay. In most cases ebay are apparently still trying to make customers and sometimes banks pay for the losses rather than admit to their servers being compromised.

Balkanisation

[Bearhouse]

FTA "but insist the servers that administer those functions are balkanized from databases" That proves it - he IS from Romania! But seriously, if Ebay's servers really are Balkanized, (http://en.wikipedia.org/wiki/Balkanize), "Balkanization is a geopolitical term originally used to describe the process of fragmentation or division of a region into smaller regions that are often hostile or non-cooperative with each other", maybe it's no wonder they have problems.

Wonder why ?

[IT072110]

Is it the hacker is getting more experts or the system admin is less brilliant??