The new ebay.com.au website has been released with much fanfare but the creaters of the website have now decided to embed the users first name and last name on most pages visited. The test is delivered under plain http and can easily be captured over the air or wire using Wireshark.
Steps to replicate:
- Login to ebay.com.au with correct credentials
- Navigate to he home page
- Hover the mouse to the top left hand corner under the “G’Day <First Name>”
- Be greeted with a hover over panel with <First Name> <Last Name> in plain sight.
Conducting a Wireshark trace illustrates the issue. A sting search in packet details for GH_alertData will display the first / last name.
Why is this bad:
Potentially a hacker can gain easy access to your first, last name and ebay id and use this info to produce a phishing email or collect this data for further attacks.
Where can this happen:
The most likely place for this to happen is over an unencrypted wireless network, i.e at the airport or the cafe. Wired networks are also vulnerable.
What can ebay do:
Secure their website by using the https protocol for the entire website.
What else sucks:
On a internet connection that can stall, i.e 3G/wifi, the hover function can time out and throw up the message, “We’re sorry, there was a problem retrieving this information”. Now the user can easily log out without refreshing the page.