New eBay Password Security Flaw Discovered – With a Smartphone and a free App
It has been over two and half years since eBay suffered a massive data breach which saw 145 million users details compromised and forced eBay to instruct all registered users to change their password.
But today this website can reveal a such a glaring hole in eBay’s website security we are surprised no one else has noticed it! Albeit it is not on the same scale as the password hack of 2014, but it is something eBay really needs to fix!
In fact, it is such an obvious flaw that eBay must be aware of it, it just seems they still don’t take their user’s security that seriously.
So what do you need to exploit this flaw? Years of hacking experience? A Linux Box? A Degree in computer science?
All you need is a Rooted Android device and a free app called zANTI.
zANTI is a mobile penetration testing toolkit, similar to Intercept-NG it can perform Man-In-The-Middle (MITM) attacks, redirect users to another URL, replace images and, most importantly has an SSL Strip function which redirects from HTTPS to HTTP.
The flaw we are discussing today lies in HTTP to HTTPS exploit. So let’s dive straight in.
This exploit, as you will notice, has been exposed on the UK eBay site, it is unclear if this flaw affects the US site (eBay.com) and other International eBay sites.
The eBay site, before a user logs in, is un-encrypted, only using HTTP.
Now there are two ways which a users is taken to the secure HTTPS sign in page. The first is by clicking the ‘Sign in’ link in the top left hand corner of the screen and the second is by clicking on any of the options in the drop down menu ‘My eBay’.
When performing a MITM attack with zANTI using the ‘SSL Strip’ function, an eBay user who clicks the ‘Sign in’ link will still be taken to the HTTPS secure sign in page.
However if they click any of the options from the ‘My eBay’ drop down menu they will be taken to the non secure HTTP sign in page while zANTI is performing a MITM attack on a target.
And herein lies the problem. Because the entire eBay site does not use HTTPS zANTI can redirect any user to the non secure HTTP sign in page and capture the user’s eBay Username/email and password.
Here in the zANTI log you can see, highlighted in yellow, it has captured the password.
And there you have it, with just a (basic) rooted Android device, a free App and zero pen testing knowledge we have captured the username (ebayuser123) and password (12345678) from one of the biggest websites in the world. And one which is not exactly unversed in user security.
So the next time you are using a free WiFi hotspot, even one using WPA encryption, be aware that when you punch in your password, anyone who can use an App can potentially steal your login details.
Most sites like Facebook use secure HTTPS before you login so this exploit is ineffective, maybe it is time eBay caught up!