| imjustme | 03-26-2008 10:57 AM |
Warning: Huge eBay Security Flaw
There seems to be a huge security flaw going on at eBay right now. Before I write this, I have to state that I use Firefox and I *always* clear all cookies, both automatically and manually, when my browser closes AND when it starts up.
I just logged into one of my accounts and found myself logged into another username I have never heard of, but apparently someone who lives in the same city as me, in Japan.
How is that possible? I have no idea, but I was able to check his listings, even edit them (if I wanted to, but I didn't). I could check the closed listings, the customer information, when they paid, etc. I could also see his private address and phone details, even the credit card details (as far as eBay shows).
I only use my computer at home, so I'm not on a public computer that could have had traces of cookies. The only thing I'm thinking it could be is that eBay's cookie system recognized the same IP (I was on dialup) that he used before and logged me into his account based on that.
I then logged off that dialup connection and back in with a different provider that gave me a different IP, then I had no problems getting into my own account fine. I logged back off and on again with the other provider's same IP and again, it logged me into the other eBayer's account, again giving me full access.
I am thinking this is a huge security flaw at eBay that needs to be addressed as soon as possible, but I don't want any attention from eBay to my own account, so I'm not going to be reporting it, at least not from my own account.
Just a heads up, be careful guys! Something is fishy. I worked in the IT industry as a programmer for many years, so I know my way around cookies and servers even if I was blind. Believe me, this is not something on my end. It's on eBay's end and it's a security flaw ...and a bad one. Their cookie system is logging customers into their account based on IPs. That's baaaaaad. | 
