back to article Vuln exposes eBay developer accounts

eBay security officials are requiring members of its developer program to change their passwords following the discovery of a vulnerability that could allow attackers to intercept sensitive account details. "eBay has recently identified a means by which someone could gain access to eBay Developers Program account information," …


This topic is closed for new posts.
Thumb Down

What about buyer security?

"Out of an abundance of caution and to help ensure the security of the eBay Developers Program, we are requiring that all developers" change their passwords.

If only it was so simple for buyers to obtain real "security" on eBay's auctions.

For eBay “watchers”, a detailed case study of shill bidding and the abuse of eBay’s proxy bidding system—all exacerbated by eBay’s introduction of “hidden bidders”—plus a detailed general criticism of eBay’s “clunky” auction platform, and policies, at

Anyone contemplating bidding on an eBay auction should read this case study so that they can be aware—if they are not already aware—of just how primitive and open to abuse is the eBay auction system.

A synopsis thereof:

 very little of the auction system security, that eBay claims to offer buyers, exists in fact;

 contrary to their claims, it can be demonstrated that eBay has no “proactive” nor “sophisticated” system in place for the detection of undisclosed vendor (“shill”) bidding, and indeed eBay appears to do nothing about such criminal activity except as a reaction to users’ reports of suspicious bidding activity;

 eBay appears to have no effective matter-of-course verification of users: unscrupulous users can apparently have as many user IDs as they may have email addresses;

 many of eBay’s “rules”, concerning the retraction of bids, cancellation of auctions, etc, are nominal only and are no bar to the machinations of the unscrupulous seller;

 as a result, eBay’s “proxy” bidding system is so open to abuse by such unscrupulous sellers that to use it, as eBay intends it to be used, can be an invitation to pay your maximum;

 by the lack of any effectual system to proactively detect shill bidding, eBay has ever effectively, and knowingly, “aided and abetted” unscrupulous shill-bidding sellers to defraud naïve buyers;

 the masking of bidding IDs with non-unique, absolutely anonymous aliases serves no purpose other than to obscure all but the most blatant of shill bidding, and defeats any attempt at comprehensive analysis of individual bidding patterns to expose such activity;

 the quarterly changing of even these non-unique, absolutely anonymous, bidding aliases serves absolutely no other purpose than to stop even experienced eBay users from attempting to manually track suspicious bidding activity over time;

 the anonymous, individual bidder Bid History Details pages, supposedly supplied to offset the absolute masking of bidding IDs, although better than nothing, usually present an ambiguous view and, in such circumstances, are of dubious value;

 anyone naïve enough to “nibble” bid on a seller-elected “private” auction (ie, “User ID kept private”), on the balance of probability, is going to be defrauded;

 when suspected fraud is reported, and is found by eBay to be proved to their satisfaction, eBay will conceal that fact from the victim of the fraud; this then is the concealing of a crime after the fact, surely, a crime in itself;

 eBay will never acknowledge to a victim that a fraud has been perpetrated, nor indeed will eBay acknowledge that such fraud is even a problem on eBay auctions; eBay therefore sees no reason to provide any mechanism to aid in the recovery of any monies so defrauded;

 if eBay did have any proactive and truly sophisticated system in place for the detection and control of shill bidding, we would not now be having this debate; and

 for those buyers (and honest sellers) who embrace eBay believing that eBay acts as an “honest broker” between buyer and seller, I can only say that you may as well believe that there are fairies at the bottom of your garden too; and

 the ugliest aspect of this matter is that we would quite rightly be upset if our local auctioneer, from whom we were buying, was found to be facilitating an concealing such criminal activity—and here is eBay, knowingly, doing it to the whole world!


re: Philip Cohe

Thanks again for posting your rant about Ebay. It was a fun read the first time. This rant now apears on every Ebay story that the Reg posts



Did Schneier really ``issue a refresher on the secure creation of passwords." When I read the article last week I didn't feel that Schneier was advocating these guidelines. I felt that Schneier had read them and found them impractical, as suggested by his remark ``I'll bet -- no one follows [the said guidelines]." Moreover, he goes onto say that he ``regularly breaks seven of the rules." Surely a leading security expert would not advocate the use of something he refuses to follow himself? Furthermore, Schneier is the author of a product that clearly violates the advice to ``[not] putting [passwords] into a file on your computer." On this basis I feel Dan Goodin's claim that ``security guru Bruce Schneier issued a refresher on the secure creation of passwords, just last week" to be deeply flawed!

This topic is closed for new posts.