Bugtraq mailing list archives
ebay sends passwords in the clear
From: rfromm () CS BERKELEY EDU (Richard Fromm)
Date: Wed, 16 Feb 2000 11:03:17 -0800
Not as bad as not encrypting credit card numbers (they do encrypt that), but for some reason ebay doesn't bother to encrypt passwords. While they're certainly not the only web site doing this, I consider this a bit more serious than a website where one's password just holds personal preferences. Listing items for sale or bidding on items on ebay is allegedly entering into a legally binding contract (although I don't know if this has ever been tested in a court of law). So if someone sniffs my password he/she has the ability to misrepresent my identity in such a way that I could potentially be financially liable. I've been trying to get ebay to do something about this for a month and a half, to no avail. See http://avocado.dhs.org/ebpd/ for details, including an ebay password sniffer. - Richard Fromm rfromm () cs berkeley edu
Current thread:
- Re: 'cross site scripting' CERT advisory and MS David LeBlanc (Feb 16)
- Re: 'cross site scripting' CERT advisory and MS flynngn () JMU EDU (Feb 17)
- ebay sends passwords in the clear Richard Fromm (Feb 16)
- Re: ebay sends passwords in the clear Andrew Bennett (Feb 20)
- Re: 'cross site scripting' CERT advisory and MS Alexander Schreiber (Feb 18)
- Microsoft signed software can be install software without prompting users Elias Levy (Feb 21)
- ebay sends passwords in the clear Richard Fromm (Feb 16)
- Re: 'cross site scripting' CERT advisory and MS flynngn () JMU EDU (Feb 17)