eBay patches login vulnerability

By Justin Mann on March 2, 2007, 5:35 PM
More than a week after it was first discovered, eBay has fixed a flaw in their sign-on page. The flaw gave phishers an easier and “more trustworthy” way of snagging logins from people, due to it allowing them to direct a user to the official login page but send the credentials somewhere else:

The vulnerability was noteworthy because it led users to eBay's official login page first, unlike most phishing attacks, which direct victims to a spoofed URL. Once a user entered a valid user name and password on the eBay site, however, the exploit redirected the person to a third-party site of an attacker's choosing.
Apparently, eBay has been aware of it internally for longer. Regardless, as of Thursday the issue was addressed. This isn't eBay's only current concern, who also is contending with numerous other security issues and accusations of severe flaws system-wide. As the article mentions, their slow response time doesn't make anybody feel better about the situation. Being that eBay and PayPal are some of the biggest targets of phishing, it would behoove them to hire a large enough security staff to combat these issues quicker.

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.