[olug] Is eBay / Paypal really this bad?
Luke Dashjr
luke at dashjr.org
Thu Nov 27 03:18:22 UTC 2008
On Wednesday 26 November 2008 12:45:52 pm Rob Townley wrote:
> On Tue, Apr 29, 2008 at 1:46 AM, Rob Townley <rob.townley at gmail.com> wrote:
> > A substantial portion of the economy rests upon the eBay marketplace. So
> > you would think they understand some basic security practices. Am i
> > going mad? Am i not getting the same eBay everyone else is getting?
> >
> > Goto https://signin.ebay.com
> > Under the password box, click on "i forgot my password" which takes you
> > to http://cgi4.ebay.com/ws/eBayISAPI.dll?ForgotYourPasswordShow
> > which simply asks for your username and sends that in the clear, but the
> > next form prompts you to "Answer your secret questions" but then goes
> > ahead and sends them in the clear as well. No https! No SSL! No
> > javascript encryption.
> > My machine has the form action="http://cgi4.ebay.com/ws/eBayISAPI.dll"
> > when posting my "secret" answers, does yours?
> >
> >
> > Robert Townley
> > m. 402-670-4326
>
> truste.org informed me and i have done cursory verification that
> resetting your password on ebay.com and ebay.co.ie is no longer
> sending secret information in the clear.
Uh, both pieces of information mentioned above (username and "secret
questions") are not confidential. There is nothing wrong with sending them in
the clear. "Secret questions", included, since it only requires the username
to get them. Now if the *answers* or *password* were sent in the clear, that
may be a problem, but most sites still use unencrypted emails for that anyhow.
More information about the OLUG
mailing list