Online auction powerhouse eBay Inc. closed a security hole in a password-maintenance feature late Tuesday that could have allowed attackers to take over a user's account and commit fraud.
The vulnerability existed in the feature that allowed registered eBay users to change the passwords that they use to log into the site, according to Kevin Pursglove, senior director of communications at the San Jose, California, company. Though the "change your password" feature was taken offline around 5 p.m. Pacific time (1 a.m. GMT) Tuesday due to the security hole, the feature has since been fixed and put back online, he said.
The hole would have allowed an attacker who knew the publicly available name that an eBay member bids under, to change that user's password, thereby taking over the account, Pursglove said. EBay was first notified that the attack was possible by a user on March 27 or 28, Pursglove said. Users who attempted to change their passwords after the service was disabled got error messages, he added.
Although the potential existed for attackers to have access to accounts, no credit card or personal information would have been available to them, because that data is stored on separate servers and behind separate firewalls, Pursglove said.
Ebay is "in the process right now of reviewing all the password changes that have come in to us recently," Pursglove said, adding that the company has not yet received any user reports of fraud or account hijacking related to the vulnerability.
The company is "still in the process of reviewing" how the hole occurred, he said.
EBay users have been hit with other account troubles recently. Some users have reported having their accounts hijacked in recent months, though Pursglove said those incidents are unrelated to Tuesday's security hole.
News source: PC World
The vulnerability existed in the feature that allowed registered eBay users to change the passwords that they use to log into the site, according to Kevin Pursglove, senior director of communications at the San Jose, California, company. Though the "change your password" feature was taken offline around 5 p.m. Pacific time (1 a.m. GMT) Tuesday due to the security hole, the feature has since been fixed and put back online, he said.
The hole would have allowed an attacker who knew the publicly available name that an eBay member bids under, to change that user's password, thereby taking over the account, Pursglove said. EBay was first notified that the attack was possible by a user on March 27 or 28, Pursglove said. Users who attempted to change their passwords after the service was disabled got error messages, he added.
Although the potential existed for attackers to have access to accounts, no credit card or personal information would have been available to them, because that data is stored on separate servers and behind separate firewalls, Pursglove said.
Ebay is "in the process right now of reviewing all the password changes that have come in to us recently," Pursglove said, adding that the company has not yet received any user reports of fraud or account hijacking related to the vulnerability.
The company is "still in the process of reviewing" how the hole occurred, he said.
EBay users have been hit with other account troubles recently. Some users have reported having their accounts hijacked in recent months, though Pursglove said those incidents are unrelated to Tuesday's security hole.
News source: PC World
How does it work?
The Cydoor component of this software is simply a caching mechanism, which stores ads on your hard drive, and displays them only while the software program is open. When the ads have expired, the component deletes old ads and contacts Cydoor's servers in order to receive new ones. To do this, the Cydoor component uses your Internet connection, which was designed to take up the minimum bandwidth on your line. Each ad banner on your hard disc is about 10Kbytes.
Finally, Cydoor Technologies wants you to feel comfortable using this software. Be assured that respecting and maintaining your privacy is Grokster and Cydoor's top priority ethically and legally. If you have any questions or concerns, please visit the Cydoor website, www.cydoor.com, where you can review its privacy statement."
And from Cydoor's website:
"We can assure you that no personal information about you or about your computer is gathered and sent to us. We collect no personal information unless the user voluntarily supplied it. Our component runs on your computer only to bring you new banners and to send our servers information regarding only as to the banners you saw or clicked on."
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.