Written By: Anon.Dos
On the twenty first of May eBay sent an email to its one hundred and forty five million users to change their account password officially confirming that their accounts had been compromised. And that was just the start, hackers found out a way to collect user information data in bulk that is collecting millions of accounts information in a few steps.
Furthermore, even after changing all the passwords on eBay accounts hackers still have all the personal details from millions of eBay users like their names, addresses, land line numbers, cell phone numbers and date of births. But according to eBay no financial information was compromised because they say that all the financial details are kept on entirely different servers.
But the interesting question is how to hack an eBay account? When a user clicks on “forgot password” link – like every other website they are taken to a separate page where it asks for user details and then a random code is generated that is valued as HTML reqinput that can be seen via browsers inspect element tool.
Now, once the user has provided their details they are taken to page where they need to enter their new password two times so that their new password can be saved. Once that is done a confirmation email is sent to them.
Anyhow, because it does not use the secret code, the new password (HTTP) is sent via the same reqinput value that was already generated in the first place when the user clicked to reset their password and also which the hacker already knows of – the image below shows how exactly what the “reqinput” value looks like:
Also when we come to think of it, even if a person changes the passwords; like eBay told its customers; most of the password reset queries involve information like date of births, madden names, phone numbers and back up emails. So if eBay is saying that the credit card or PayPal information was not leaked or hacked. How long do you think it would take to go to reset password link and provide all the information that is already saved on the hacker’s database.
Furthermore a journalist from Washington Post and a researcher says that an individual is selling eBay users database for just 1.453 BTC (BTC being Bitcoin when converted to United States Dollar which is roughly estimated about $750+) for all those forty five million accounts. But eBay has something different to say about that. eBay says that they have checked the list and the information provided by the individual do not match with eBay’s database. Real or fake information like that can be sold to different people for marketing purposes that comes with the package of those annoying spam emails or possibly even hackers.
The worst part about this hack was the hacked information that is available on the internet was posted in simple plain text only the passwords are encrypted because when a user registers one’s self on eBay they do not have an option to what information should be given to eBay. And it is at most part kind of immature on eBay’s side that they would not choose to encrypt that sort of information i.e. names, date of births etc.
However, whatever methods they chose to practice their billion dollar business at the end of the day it is their responsibility to have their user’s information safe & protected at all time.