More security woes keep eBay on edge
Independent security pros are finding all kinds of flaws in eBay's networks
IDG News Service - EBay's security team isn't going to get a break for a while.
Following an attack disclosed last week that exposed sensitive information of up to 145 million people, the auction giant is scrambling to repair several other problems reported in its vast network by security enthusiasts.
"As a company, we take all vulnerabilities reported to us very seriously, evaluating any reported issue within the context of our entire security infrastructure," wrote Ryan Moore, lead manager of eBay's business communications, in an email to IDG News Service.
EBay has long been a target for cybercriminals. It is the seventh most visited site in the U.S, according to statistics from Amazon's Alexa Web analytics unit. Its combination of a marketplace and payments platform, PayPal, means it holds sensitive data and poses opportunity for fraudsters.
Three U.S. states -- Connecticut, Florida and IllinoisA -- are jointly investigating eBay's data breach, a sign that regulators and law enforcement are taking a keen interest in how consumer data is protected following Target's data breach last year.
EBay's size puts it in the league of companies such as Facebook, Google and Microsoft. All run large networks constantly prodded by "black hat" hackers, those who are seeking to damage a company or profit from attacks, and "white hats," who alert companies to problems.
Yasser Ali, a 27-year-old who lives in Luxor, Egypt, said it took him all of three minutes last week to find a serious vulnerability that could let him take over anyone's eBay account if he knows a person's user name, which is public information.
Ali shared a video with eBay showing how the flaw could be exploited, he said in a phone interview Tuesday night. He hasn't received a response from eBay, but said the video was viewed by company officials 17 times, according to a statistics counter on the clip. Moore said eBay has now fixed the bug, and Ali plans to release details of it.
Ali, who quit his job as a mechanical engineer last month to focus on information security, has found other bugs before in eBay and is named in a list of security gurus who have helped out. But he said he has little incentive to continue analyzing eBay since the company doesn't pay for vulnerability information.
"They are not like Google's security team, and they are not like Facebook," Ali said, noting those companies have close ties with the research community. "This will kill their reputation."
Google, Facebook, Yahoo and others pay independent researchers rewards up to thousands of dollars for security information. The payments are an incentive for security enthusiasts, who spend long hours on their own time to look for flaws.
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Market Overview: Digital Customer Experience Delivery Platforms Forrester states that businesses today struggle to understand and use the tools necessary to create and manage unified, multichannel digital customer experiences across...
- The Growing Demand for Rich Media This white paper discusses how IBM Customer Experience Suite Rich Media Edition can automate rich media workflows, from collaborating with creative agencies and...
- The Next Generation Employee Experience This white paper from IBM, showcases five organizations that are strategically integrating emerging social software and tools with their existing investments and seeing...
- It's not too late...Get Your Mobile Questions Answered Live! How can IT provide seamless and secure mobile communications and collaboration for all? Join this live Webcast as IDG asks an expert panel...
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success! All Malware and Vulnerabilities White Papers | Webcasts